b9abe15562
Adds SBOM attestations https://docs.docker.com/build/metadata/attestations/sbom/ Requires https://github.com/rust-secure-code/cargo-auditable/pull/236 for our uv binaries and their dependencies to be included in the SBOM You can inspect the SBOM with, e.g.: ``` docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427 --format '{{json .SBOM}}' | jq docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427-python3.9-trixie --format '{{json .SBOM}}' | jq ``` Also explicitly sets https://docs.docker.com/build/metadata/attestations/slsa-provenance/#max but there appears to be no change as all of the max SLSA data is already present.