Support for GitLab provenance

[laurentsimon]

GitLab has some support in https://github.com/npm/cli/pull/6375

https://gist.github.com/wlynch/42e89527d51bc72a61279f0c7f3be1cd

[laurentsimon]

v0.2 provenance does not have a stable builder ID, so we may defer implementation to v1.0

[ramonpetgrave64]

They are still using slsa v0.2, and that older definition of BuilderID.

• https://github.com/npm/cli/blob/22731831e22011e32fa0ca12178e242c2ee2b33d/workspaces/libnpmpublish/lib/provenance.js#L67
• https://github.com/npm/cli/pull/6375#discussion_r1173989123

I think for gitlab the BuilderID should also be the ref to Gitlab's own equivalent of a GithubWorkflow definition yaml file. And we would need to upgrade the npmcli attestation-generating code to start using v1, like @laurentsimon suggests.

• https://docs.gitlab.com/ee/ci/migration/github_actions.html#:~:text=A%20GitHub%20Action%20workflow%20is,gitlab%2Dci.