ci: add attestation to container images and SBOMs

[arthurus-rex]

Add in-toto attestation to all image-building ci workflows, for both SBOMs (image.yml) and images themselves (all 3 workflows). Allow necessary permissions to attest (attestations, packages).

[SamYuan1990]

Attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.

A verifiable signature is generated for the attestation using a short-lived Sigstore-issued signing certificate. If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is private/internal, it will use the GitHub private Sigstore instance.

ref to https://github.com/actions/attest-build-provenance
well, I am open for SLSA, sigstore or any openSSF kind structure in CI approach.
But, or well...
https://github.com/sustainable-computing-io/kepler/actions/runs/10931316693/job/30346044739?pr=1789
it should not in PR image build, IMO, it's valuable as user will use release image or daily image(which is latest tag image).

I am not sure if we need additional project configuration for sigstore, @rootfs , could you please advise?
at least within this PR, it seems we need a github token.
https://github.com/actions/attest-build-provenance?tab=readme-ov-file#inputs
or @arthurus-rex , ref to github token settings, it seems PR(as PR owner is from a fork repo) can't use upstream repo's github token setting as security reason, please update code, remove/update settings for this github action. I suppose we don't need push to reg for each PR.

[arthurus-rex]

@SamYuan1990 sounds good, I think removing the attestation from image_pr.yml makes sense. The attestation in general was suggested to me by @dave-tucker (tagged in case he has any input/suggestions here). I will update this PR over the next 1-2 days.

Follow-up question: Is there a reason we are pushing to registry at all for PRs?

[SamYuan1990]

@SamYuan1990 sounds good, I think removing the attestation from image_pr.yml makes sense. The attestation in general was suggested to me by @dave-tucker (tagged in case he has any input/suggestions here). I will update this PR over the next 1-2 days.

Follow-up question: Is there a reason we are pushing to registry at all for PRs?

IMO for PR level,
https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/pull_request.yml#L50
the push image is set to false, so for each PR we should not push image.

https://github.com/sustainable-computing-io/kepler/blob/main/.github/workflows/image_pr.yml#L4 is working with workflow_dispatch. so when we need to debug/test a pr image/pr version, someone will manual build the image and upload it.

https://quay.io/repository/sustainable_computing_io/kepler?tab=tags&tag=latest which same as image tags you see on quay io.

[arthurus-rex]

I removed the attestation on PR and restricted permissions where possible.

[SamYuan1990]

LGTM

[SamYuan1990]

the code change look good to me, @arthurus-rex , as push-to-registry is set, I am not sure if @rootfs, @vprashar2929 or other kepler maintainer can have a link to preview the output?