feat: add internal reproducible git checksum builtin

[jonnystoten]

Adds a new rego builtin attest.internals.reproducible_git_checksum. This is needed for verifying DOI provenance, see https://github.com/docker/doi-image-policy/blob/main/slsa.md#doi-build-reproducible-git-checksum.

We use https://github.com/go-git/go-git for as much of this as possible, but it doesn't support the actual archive operation, so we shell out to git for that.

There is some similar unexported code in bashbrew, and we should probably be using the same code in the build process as we are here. I'll create a follow-up ticket to sort that out.

[codecov]

Codecov Report

Attention: Patch coverage is 74.58564% with 46 lines in your changes missing coverage. Please review.

Project coverage is 66.61%. Comparing base (3cf2d92) to head (ef18345).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/git/git.go	74.28%	19 Missing and 8 partials ⚠️
policy/rego.go	75.00%	13 Missing and 6 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #203      +/-   ##
==========================================
+ Coverage   66.37%   66.61%   +0.24%     
==========================================
  Files          44       45       +1     
  Lines        3215     3373     +158     
==========================================
+ Hits         2134     2247     +113     
- Misses        779      810      +31     
- Partials      302      316      +14     

Flag	Coverage Δ
unittests	66.61% <74.58%> (+0.24%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.