Support arbitrary metadata in reusable workflow inputs

[laurentsimon]

We need to support arbitrary metadata the user wants to associate with its release, like the version, arch, etc as part of the reusable workflow input arguments.

These input can be set in the package descriptor of the attestation. If we have to use purl to pack all this, we'll offload its computation to the caller using callback PURLToPackageDesc() and PackageDescToPURL(). We will need to reserve certain field names like environment to simplify verification by the deployment attestation (this is mostly relevant for containers)

[laurentsimon]

more generally, a reusable workflow takes as input:

1. package name
2. subjects, including their sha256. For containers, it's a single digest
3. package-metadata (version, arch, etc)

(1) and (3) are used to crate the package desc (in current code) or purl (if we switch to that). (1) package is matched against the policy package name (without changes?) (2) is used to populate the attestation subjects