Add attestation download API endpoint

Why are we doing this work

As part of Polish the MVC end-to-end Attestation workflow (#577701 - closed) this issue is to add the download API endpoint to the attestations API.

Relevant links

• Polish the MVC end-to-end Attestation workflow
• Resolve "Create Attestations List API"

Non-functional requirements

• Documentation: Documentation will be written within the API endpoint, will document as is normally done for API endpoints. See related Resolve "Create Attestations List API" for an example of this.
• Feature flag: [FF] slsa_provenance_statement -- Roll out feature flag to publish SLSA provenance statements
• Performance: Performance considerations were part of the design. See Polish the MVC end-to-end Attestation workflow for more info.
• Testing: unit testing/manual testing. See verification steps below.

Implementation plan

• Add a new resource in lib/api/supply_chain/attestations.rb, ensuring FF check works and ensuring authorisation check works. The path should be /api/v4/projects/:project_id/attestations/:iid/download and should return the full contents of the attestation bundle file.

Verification steps

1. Create the required attestations in production as required.
2. Retrieve the bundle.
3. Perform a verification.