feat: workflow commands that can patch and output an SBOM for declared vs concluded licenses

[spiffcs]

SPDX makes a distinction between declared and concluded packages.

Declared: "List the licenses that have been declared by the authors of the package" Concluded: "Contain the license the SPDX document creator has concluded as governing the package or alternative values, if the governing license cannot be determined."

Grant should provide a command that allows a user to 👍 or 👎 a license as concluded for a given package

SPDX documents output by this command would have the extra step of allowing a users to add information to the SPDX "Comments on license field". This field provides a place for the SPDX document creator to record any relevant background information or analysis that went in to arriving at the Concluded License for a package.