feat: Generate SLSA provenance for operator images

[dervoeti]

Add provenance-oci and provenance-quay jobs to the templated build workflow. Both call the slsa-github-generator container workflow against the multi-arch image index digest published to each registry, attaching signed SLSA build provenance to the image.

Caution

Don't merge yet, needs stackabletech/actions#113

Optional extra information:
I added SLSA provenance to our fork of SecObserve already in a similar fashion, here is the workflow run:
https://github.com/stackabletech/SecObserve/actions/runs/28184881580

Here is an example of how to manually inspect the SLSA provenance attestation for an image:

cosign download attestation oci.stackable.tech/stackable/secobserve-backend@sha256:f86020f9a9cc94e9481c94920b46acbf141f809928f6ade07a59
de8a844526f3 | jq -r '.payload' | base64 -d | jq 'select(.predicateType=="https://slsa.dev/provenance/v0.2") | .predicate.invocation'

Or using slsa-verifier:

slsa-verifier verify-image oci.stackable.tech/stackable/secobserve-backend@sha256:f86020f9a9cc94e9481c94920b46acbf141f809928f6ade07a59de8a844526f3 --source-uri github.com/stackabletech/SecObserve

It's basically a signed JSON document that provides a ton of metadata about the image build. The attestation is done by an isolated job that runs https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml, so it's an independent "witness" that can't be manipulated (this means we achieve SLSA level 3). Luckily it's pretty easy to do since we use GitHub actions.