Attach SBOMs generated by GLCS to the images as in-toto attestations

We have enabled GLCS (GitLab Container Scanning) in our release pipelines, that in addition to running container scanning, also generates a CycloneDX SBOM artifact. We should attach this SBOM as an in-toto attestation to the image, preferably using cosign, in a CI job in the release pipeline (maybe even in the after_script of the container scanning jobs themselves. 🤷).

Once done, our existing publish logic will copy both the image and attestation to the public image registry.