✨ probe: releases with verified provenance

[raghavkaul]

What kind of change does this PR introduce?

Add a probe to check for verified provenance. Look up the package associated with the GitHub/GitLab project, and check if the package. In the current version, this check only supports NPM packages.

Which issue(s) this PR fixes

Closes #3038.

Addresses #1776 and #298.

Special notes for your reviewer

For now, treating "No package found" the same as "this ecosystem doesn't have packages / doesn't support publishing provenance" - with finding.NotAvailable. In the future, we might add ecosystem detection to make the latter scenario finding.NotApplicable.

Does this PR introduce a user-facing change?

probe: verified package provenance using package manager metadata

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 48.14815% with 28 lines in your changes missing coverage. Please review.

Project coverage is 59.97%. Comparing base (02f72e0) to head (7df77ec). Report is 4 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #4141 +/- ## ========================================== - Coverage 66.11% 59.97% -6.14% ========================================== Files 232 215 -17 Lines 16567 15637 -930 ========================================== - Hits 10954 9379 -1575 - Misses 4925 5564 +639 - Partials 688 694 +6 ```