Share OSSF project inventory with downstream consumers for incident response

[sevansdell]

After all the projects are done self-identifying the initial stage they are in, I propose we adjust the incubating project lifecycle to post an SBOM on their github repo, maintain updating it with some frequency, and include a purl for software identification.