experiment: Add Wolfi based images

[wlynch]

Opening as a draft since if we actually want to do this or not, but opening up for discussion. (cc @afrittoli)

Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks).

These images are smaller and are kept up to date with upstream with a focus on minimal CVEs.

(computed using crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec)

Image	Size
gcr.io/tekton-releases/dogfooding/ko:latest	277M us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi

CVE Scans:

$ grype gcr.io/tekton-releases/dogfooding/ko:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f
 ✔ Cataloged packages              [231 packages]
 ✔ Scanned for vulnerabilities     [23 vulnerability matches]
   ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   12 fixed, 11 not-fixed, 0 ignored (4 dropped)

$ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329
 ✔ Cataloged packages              [191 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored (4 dropped)

These aren't wired up to CI yet, but they're configured to publish to a different tag (latest-wolfi)

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide
for more details.

[tekton-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from wlynch after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tekton-robot]

The following Tekton test failed:

Test name	Commit	Details	Required	Rerun command
check-pr-has-kind-label	d65d885	link	true	/test check-pr-has-kind-label