fix: Add SBOM attestation to Docker build

Add SBOM attestation support to Docker builds

• Enable SBOM attestation for Docker images by default on tags and the default branch.
• Provide a label (~docker-attest-sbom) and a variable (DOCKER_ATTEST_SBOM) to enable SBOM attestation on branch builds.
• Add an option to disable SBOM attestation (DOCKER_NO_ATTEST_SBOM).
• Update the Docker metadata documentation to reflect the new options.
• Update the Dockerfile build process to include SBOM attestation by default on tags and the default branch.

---

SBOM Attestation

By default, tag and default branch images will have SBOM attestations attached using the Docker SBOM attestation feature: https://docs.docker.com/build/metadata/attestations/sbom/.

This behaviour can be modified:

1. Add the ~docker-attest-sbom label to an MR to write attestations for docker images produced on the branch, or set DOCKER_ATTEST_SBOM="1".
2. To disable SBOM attestations, set DOCKER_NO_ATTEST_SBOM="1".

Listing the Software Bill of Materials in a Docker Image

To list all packages in a Docker image, the Docker documentation provides example usage, for example:

$ # list all packages in a Docker container
$ docker buildx imagetools inspect <image> \
    --format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
alpine-baselayout@3.6.5-r0
alpine-baselayout-data@3.6.5-r0
alpine-keys@2.4-r1
apk-tools@2.14.4-r0
busybox@1.36.1-r29
busybox-binsh@1.36.1-r29
ca-certificates-bundle@20240705-r0
libcrypto3@3.3.2-r0
libssl3@3.3.2-r0
musl@1.2.5-r0
musl-utils@1.2.5-r0
scanelf@1.3.7-r2
ssl_client@1.36.1-r29
zlib@1.3.1-r1