fix(ci): install syft and call binary by absolute path

[bupd]

Summary

• Add Install Syft step to the publish-and-sign composite action, pinned to anchore/sbom-action/download-syft@v0.24.0 with syft-version: v1.32.0.
• Fix GenerateSBOM in .dagger/publishimage.go to call /syft by absolute path.

Why

The latest publish run failed with:

exec: "syft": executable file not found in $PATH
HarborCli.publishImageAndSign ERROR

anchore/syft:latest is built FROM scratch with ENTRYPOINT ["/syft"] and no shell or $PATH. Dagger's WithExec does not invoke the entrypoint, so "syft" could not be resolved. Using the absolute path /syft resolves the binary directly.

The Install Syft runner step mirrors the existing Install Cosign pattern and pins the action by SHA plus a fixed syft version for reproducibility.

Test plan

• Trigger the publish-and-sign workflow on a snapshot tag and confirm publish-image-and-sign completes, SBOM is generated, and the in-toto attestation is attached to the published image.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.13%. Comparing base (60ad0bd) to head (6b30ee9).
⚠️ Report is 135 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #823      +/-   ##
=========================================
- Coverage   10.99%   9.13%   -1.86%     
=========================================
  Files         173     270      +97     
  Lines        8671   13195    +4524     
=========================================
+ Hits          953    1206     +253     
- Misses       7612   11876    +4264     
- Partials      106     113       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.