Make PR check fails when find invalid SPDX 2.x SBOM

[bact]

This PR fix two issues in SPDX 2.x validation step in the PR check workflow:

1. tools-java behavior is not stable:
   • To fix that, this PR changes the workflow to use a released tools-java.jar, instead of build it from latest source.
   • Based on suggestion from @goneall in #114
2. Check marked as "Passed" even some validations failed:
   • To fix that, this PR changes the workflow to run tools-java.jar Verify outside find -exec, so the Verify exit code is not hidden and can be used to failed workflow.
   • The validation step will not failed immediately once find an invalid SBOM but will collect all invalid ones, report a summary at the end of the step, and exit with non-zero value to eventually failed the check.

This PR also add --quiet option to spdx3-validate to disable its spinner and make the run log more compact and easier to read.

--

Note that this PR currently failed the PR check because there are 3 SBOMs that don't pass the SBOM validation:

• #117
• #116
• #102

[bact]

Reviewed during 2025-04-08 Tech Team meeting .

[bact]

Update tools-java version to 2.0.1