feat(ci): add build provenance attestations to release workflow

[ogulcanaydogan]

Summary

Adds SLSA build provenance attestations to the release workflow so users can verify the origin of release artifacts.

Changes

In reusable-release.yaml:

• Added attestations: write permission
• Added actions/attest-build-provenance@v2.1.0 step after GoReleaser
• Only runs for non-canary builds
• Covers: .tar.gz, .zip, .deb, .rpm, and checksum files

After this, users can verify release artifacts:

gh attestation verify trivy_0.69.3_Linux-64bit.tar.gz --repo aquasecurity/trivy

Testing

This is a CI-only change. The attestation step uses GitHub's built-in OIDC and Sigstore integration, no secrets needed beyond the existing id-token: write permission.

Fixes #10315

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ogulcanaydogan]

@CLAassistant check

[ogulcanaydogan]

@CLAassistant check

[ogulcanaydogan]

Hi @aquasecurity/trivy-maintainers — this PR has been open for about 2 weeks now. Could someone take a look when you get a chance? Happy to make any changes needed. Thanks!

[knqyf263]

Thanks for the contribution.

However, this functionality has already been implemented in #10316, which was opened alongside the linked issue #10315 on the same day and has been merged. Closing as duplicate.