Reduce permissions required to export an SBOM

SBOMs can be exported from GitLab with this tutorial, but to do so, a token with the api scope is required.

api scope is the highest permission level ("Grants complete read/write access to the API, including all groups and projects") that can be granted, just for one operation (exporting the SBOM). This makes this feature risky to use at scale.

In comparison, GitHub has an API endpoint to export project SBOMs that relies on a readonly permission ("Contents" repository permissions (read)).

Proposal

There are two options there:

1. Don't require the api scope, but only the read_api scope.
2. Create a specific scope with the read_dependency and read_vulnerability abilities