chore: next step in container image publishing

recommend:

- use docker/build-push-action for multi-arch in the ci/cd GHA (gives us rich metadata)
- using the anchore/sbom-action to produce the spdx sbom
- Attest, not Attach, the sbom with cosign along with image signature (this would ensure also the sbom is signed)


following up on https://github.com/kubeflow/model-registry/pull/1790#pullrequestreview-3374876556