Policy: add artifact attestation verification and github_attestation helper #3640
Description
Allow signed artifacts used via input.http to also be verified similar to bundles.
Proposed helpers:
artifact_attestation(input.http, filename) - Verifies artifact against signed sigstore bundle file. Returns a struct with signature info fields.
github_attestation(input.http, repo_name) - Similar but instead of needing to pass file directly it is pulled by digest with Github API. The signed attestation needs to be uploaded to Github repo.
The sigstore bundle needs to have a valid Fulcio signature, but no specific signer identity is needed for these helpers. Identity can be checked based on the helper return value.
I think we can also extend the current docker_github_builder, docker_github_builder_tag to directly accept input.http and perform github_attestation with extra conditions internally. Maybe new docker_github_builder_bundle(input.http, filename) to allow file to be passed in directly as well.
All the places that accept filenames could also accept URLs.