Move SBOM validate after upload; pin check-jsonschema in requirements file

- Upload artifact before validate so inspectable copy exists if validation fails
- Add .ci/requirements-sbom.txt with pinned check-jsonschema==0.37.1
- Use requirements file in workflow (Renovate-updatable)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: aclark4life

.ci/requirements-sbom.txt

@@ -0,0 +1 @@
+check-jsonschema==0.37.1

.github/workflows/wheels.yml

@@ -298,17 +298,17 @@ jobs:
       - name: Generate CycloneDX SBOM
         run: python3 .github/generate-sbom.py
 
-      - name: Validate SBOM
-        run: |
-          pip install check-jsonschema
-          check-jsonschema --schemafile "https://raw.githubusercontent.com/CycloneDX/specification/1.7/schema/bom-1.7.schema.json" *.cdx.json
-
       - name: Upload SBOM as workflow artifact
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: sbom
           path: "*.cdx.json"
 
+      - name: Validate SBOM
+        run: |
+          pip install -r .ci/requirements-sbom.txt
+          check-jsonschema --schemafile "https://raw.githubusercontent.com/CycloneDX/specification/1.7/schema/bom-1.7.schema.json" *.cdx.json
+
   sbom-publish:
     if: |
       github.event.repository.fork == false