ci: generate attestations during a release

[34fathombelow]

closes #2353
Can supersede #2783

This PR generates attestations during a release using a new release process. Each attestation contains a SLSA Level 3 provenance which is then cryptographically signed. A SLSA provenance is generated for Argo Rollouts container images and CLI binaries that are published during a release. These provenances are non-falsifable and generated using slsa-github-generator. The release workflow needed to be refactored in order to provide a isolated environment for each step of the build process. This ensures a build will not influence another build, while also denying access to the required permissions to sign a artifact or generate a provenance.

Notable Changes

• Provenance for containers images
• Provenance for CLI binaries

Low Impact Breaking Changes

• Container images and a provenance are signed using a keyless method that produce ephemeral certificates(we no longer manage private keys)
• Only the latest tag will be used, master tag has been removed on a push events of the master branch.

Testing

All new and modified files have been fully tested in a public repo. Access to the repo can be requested for testing or trying out the new process.

[github-actions]

Go Published Test Results

1 990 tests   1 990 ✔️  2m 37s ⏱️
   118 suites         0 💤
       1 files           0 ❌

Results for commit b281958.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (3c5ac36) 81.67% compared to head (b281958) 81.67%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2785   +/-   ##
=======================================
  Coverage   81.67%   81.67%           
=======================================
  Files         133      133           
  Lines       20193    20193           
=======================================
  Hits        16493    16493           
  Misses       2847     2847           
  Partials      853      853           

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[github-actions]

E2E Tests Published Test Results

    4 files      4 suites   3h 26m 4s ⏱️
  97 tests   85 ✔️   5 💤   7 ❌
402 runs  369 ✔️ 20 💤 13 ❌

For more details on these failures, see this check.

Results for commit b281958.

♻️ This comment has been updated with latest results.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
6.1% Duplication