Add build-attestation target

[ppkarwasz]

This PR was moved from apache/commons-build-plugin#417

It adds a goal to generate a SLSA build attestation and attaches it to the build as a file with the .intoto.json extension.

The attestation records the following information about the build environment:

• The Java version used (vendor, version string)
• The Maven version used
• The gitTree hash of the unpacked Java distribution
• The gitTree hash of the unpacked Maven distribution

[ppkarwasz]

You can find the documentation of what elements are contained in the attestations in this file (included in the PR):

https://github.com/apache/commons-release-plugin/blob/feat/slsa/src/site/markdown/slsa/v0.1.0.md

I have some doubts regarding, which dependencies of the project build should be included in the attestation:

• Some information about the Maven distribution should certainly be present.
• However the checksums of all project dependencies, Maven plugins and their dependencies might be more suited for the build SBOM. By verifying the SBOM reproducibility, we have already discovered some small differences in the dependencies used by the release build and the voting builds.

[garydgregory]

What about the JDK or OS?

[ppkarwasz]

Information about the JDK is already present. I don't know if we need information about the OS: that information is usually partially included in the JDK version strings.