feat: add GitHub native attestations for SBOM and provenance

[retr0h]

Summary

• Add actions/attest-build-provenance and actions/attest-sbom to docker
  publish workflow — attestations show up on the GitHub package page
• Generate SBOM via anchore/sbom-action (SPDX format)
• Remove BuildKit sbom: true (deprecated approach)
• Update docs: replace cosign download sbom with gh attestation verify
• Point cosign and SBOM badges to the package page where attestations are
  visible

🤖 Generated with Claude Code

[github-actions]

Thank you for contributing to this project! 😊🕹️

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main     #279   +/-   ##
=======================================
  Coverage   99.84%   99.84%           
=======================================
  Files         227      227           
  Lines        9925     9925           
=======================================
  Hits         9910     9910           
  Misses         11       11           
  Partials        4        4           

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cb9c48b...7cac3d6. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.