feat(ci):create sbom generate and attest functions

[adityachopra29]

Overview

This pr fixes #229
The github actions ci is modified to

1. Generate the sbom of the image using syft
2. Attest the sbom using in-toto attestation done using cosign attestations

• Dagger functions are created for each step which can be run indivisually as well.

Verifications

• SBOM generation :

This show that the sbom is successfully generating using the syft command, and we can see the generated sbom in the sbom.spdx.json file

• Cosign attestation of the generated sbom for the image :

This shows that the cosign command used to attest the sbom to the image is successful.

In the CI, we use the githubToken instead of verification using OTP, which is taken care of in the implementation

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.45%. Comparing base (60ad0bd) to head (6627144).
⚠️ Report is 131 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #643      +/-   ##
=========================================
- Coverage   10.99%   7.45%   -3.54%     
=========================================
  Files         173     261      +88     
  Lines        8671   12930    +4259     
=========================================
+ Hits          953     964      +11     
- Misses       7612   11857    +4245     
- Partials      106     109       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[adityachopra29]

@bupd @NucleoFusion This PR is ready for review. Please have a look :)

[bupd]

/lgtm

[Copilot]

Pull request overview

Adds SBOM generation + in-toto attestation to the container image publish flow to address #229 (attach generated SBOMs to published images), implemented as reusable Dagger functions and wired into the existing publish-and-sign step.

Changes:

• Generate an SPDX-JSON SBOM for each published image using Syft.
• Attest the generated SBOM to the image using cosign attest (in-toto attestation).
• Invoke SBOM generation + attestation as part of PublishImageAndSign.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[adityachopra29]

I have made changes, waiting on the working of demo.goharbor.io to test

[bupd]

@adityachopra29 please fix lint

[adityachopra29]

Yes, waiting on the issue #711 to get fixed. Several contributors have raised a PR for the same. Will rebase when the PR is merged

[adityachopra29]

@bupd @qcserestipy PTAL. I have rebased branch to updated ref