Add a custom built-in rego function for fetching a GH workflow

[lcarva]

The SLSA Provenance generated on GitHub does not include details about the workflow used to build a container image.

This makes it hard to create a policy rule that checks if a certain GitHub action was included in the process, e.g. did a code scanner run?

The SLSA Provenance does contain a reference to the workflow:

🐚 cosign verify-attestation quay.io/lucarval/festoji:latest --type slsaprovenance --certificate-github-workflow-repository lcarva/festoji --certificate-identity 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.7.0' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  | jq '.payload | @base64d | fromjson | .predicate.invocation.configSource'

{
  "uri": "git+https://github.com/lcarva/festoji@refs/heads/master",
  "digest": {
    "sha1": "848edc452ccbc6d42ec56c2807eef2f49e754c5e"
  },
  "entryPoint": ".github/workflows/package.yaml"
}

Let's introduce a new custom built-in rego function to fetch the workflow, e.g. ec.fetch_slsa_config_source(attestation)

[lcarva]

Ideally this is generic enough that it not necessarily tied to GitHub. It ought to work with any git uri reference, and potentially with other uri types.