feat(integrations): Add attestations integrations

What does this MR do and why?

This merge request adds integration to the newly created Attestation endpoints. These two endpoints enable the retrieval of Sigstore bundles from GitLab.

Example URLs: https://gitlab.com/api/v4/projects/sroque-worcel%2Ftest-slsa-worker/attestations/76c34666f719ef14bd2b124a7db51e9c05e4db2e12a84800296d559064eebe2c https://gitlab.com/api/v4/projects/72356192/attestations/1/download

What are "Sigstore bundles"?

The grouppipeline security group is working towards providing users with SLSA Level 3 Provenance Attestations. Quoting from the SLSA documentation, it states that attestations are:

It’s the verifiable information about software artifacts describing where, when, and how something was produced. For higher SLSA levels and more resilient integrity guarantees, provenance requirements are stricter and need a deeper, more technical understanding of the predicate. Describe how an artifact or set of artifacts was produced so that:

• Consumers of the provenance can verify that the artifact was built according to expectations.
• Others can rebuild the artifact, if desired.

As a simplified TL;DR, in the context of GitLab, a provenance statement is a JSON document that correlates the SHA-256 sum of an artifact with the build information. A worker then performs a digital signature, called a provenance attestation, stored as a "Sigstore Bundle" blob. This is a highly sought-after feature, particularly for our GitLab Ultimate customers.

Testing

I've tested this integration on the associated MR: Draft: Attestation verification via cli.