chore: Generate SLSA provenance for SBOM (#14438)

[enteraga6]

closes #14438

This replaces Cosign with SLSA provenance generation and provides consistency with SLSA provenance generation for other artifacts. Verification is done with slsa-verifier; docs are updated to reflect this process.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  Use SLSA attestations to attest to SBOMs #14438

• The title of the PR states what changed and the related issues number (used for the release note).

• The title of the PR conforms to the Toolchain Guide

• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.

• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.

• Does this PR require documentation updates?

• I've updated documentation as required by this PR.

• Optional. My organization is added to USERS.md.

• I have signed off all my commits as required by DCO

• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.

Tested release workflow on personal fork here using this workflow

SLSA Verifier Test took place on local CLI with successful result, verifying downloaded SBOM artifact and provenance:

Verified signature against tlog entry index 27409036 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a45fee08f9a61155208816ebb8e5547295e6f07b12e3c5d82abab11df97a58083
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" at commit ecace957a88916b139d1aba54eb0d031e1446981
Verifying artifact ../sbom.tar.gz: PASSED

• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (9bf5e50) 49.78% compared to head (816f60a) 49.78%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #14507   +/-   ##
=======================================
  Coverage   49.78%   49.78%           
=======================================
  Files         261      261           
  Lines       44751    44751           
=======================================
+ Hits        22279    22280    +1     
+ Misses      20277    20276    -1     
  Partials     2195     2195           

see 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[34fathombelow]

Overall this is fantastic, thank you so much! Just one minor change regarding the permissions change. Also if you don't mind changing the title of the PR to: Chore: Generate SLSA provenance for SBOM (#14438)

[34fathombelow]

@crenshaw-dev Do we want to cherry-pick this to 2.8 and 2.7?

[34fathombelow]

LGTM! Thanks again!

[crenshaw-dev]

/cherry-pick release-2.8

[gcp-cherry-pick-bot]

Cherry-pick failed with Merge error 657df211a08c5cc8fd2bfa1c77c751efbc19b0ad into temp-cherry-pick-4f73bd-release-2.8

[crenshaw-dev]

@enteraga6 if you have time to open a cherry-pick PR against the release-2.8 branch, I'd love to have this as part of the 2.8 GA release. :-)

[enteraga6]

@crenshaw-dev Added the cherry-pick PR here!