ci: add build provenance attestations for release artifacts

[knqyf263]

Description

Add SLSA build provenance attestations to the release workflow using
actions/attest. While cosign keyless
signing already provides signature verification, attestations offer a
standardized SLSA format and simple verification via gh attestation verify.

Changes:

• Add attestations: write permission to reusable-release.yaml
• Add actions/[email protected] step after GoReleaser to generate attestations
  from dist/checksums.txt
• Add checksum.name_template: checksums.txt to goreleaser.yml for a
  predictable filename

Tested on aquasecurity/trivy-test with a full release workflow run.

Related issues

• Close Add build provenance attestations for release artifacts #10315

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

There is an issue with the install script. It currently expects a versioned filename:

trivy/contrib/install.sh

Lines 393 to 394 in 75c4dc0

	CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
	CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}

Because of this, http_download will fail when trying to fetch trivy_X.Y.Z_checksums.txt (instead of checksums.txt).

We either need to update the install script, or, alternatively, we can just specify the correct filename right here:

Suggested change

	subject-checksums: dist/checksums.txt
	subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt