Consider dropping CycloneDX and GGCR dependencies for webhook #103
Description
Describe the feature request
CycloneDX and GGCR libraries exist at a specific version. The version used by the webhook library may differ from the version that a convention server wants to use. If either of these libraries ever makes a breaking change, then we'd be forcing a specific choice onto consumers. In both cases, the content will continue to exist, webhook servers can unmarshal the data into the same structs if it so desires, or can use some other struct.
The value the CycloneDX types is quite low and just a connivence method. It could be easily dropped and pushed fully into the convention server implementation.
Making the same change for GGCR is a bit more involved, but treating the OCI metadata as an opaque blob may be beneficial over assume that it has a specific structure.
Is your feature request related to a problem? Please describe
Describe alternatives you've considered
Additional context
These types of changes are very easy to make now, before an official release.