Security: Can the checksum/SLSA provenance of the downloaded ArgoCD cli be verified?

[dannystaple]

Is your feature request related to a problem? Please describe. Supply chain injections are becoming a common security flaw in CI systems and build chains. This includes:

• squatting in typo-named repos
• where CI tools can be compromised, pushing tags/releases that masquerade as official ones
• where repos have been renamed, or changed ownership, squatting in a previous repository name

Describe the solution you'd like

ArgoCD provides multiple mechanisms to validate the authenticity of the download, with SLSA and weaker SHA256 checksums available. Using one of these to verify the provenance of the intended version improves the integrity of using the dependancy.

This would be in the code to download ArgoCD for use by this action.

Using the SLSA method is preferred as it is more secure.

Describe alternatives you've considered Using the simpler SHA256 mechanism. Performing these actions without using this repository.

Additional context Add any other context or screenshots about the feature request here.

[bryantbiggs]

Makes sense - we can look at adding this in, thank you!