release: add provenance with GitHub actions

[v1v]

What does this pull request do?

Run the release steps partially for main - to validate things work smoothly before the release. It skips the below steps:

• npm publish
• github release creation

Further details

Use the GitHub provenance in this project as explained in https://docs.npmjs.com/generating-provenance-statements

## Test

I created a test feature branch and https://github.com/elastic/apm-agent-nodejs/actions/runs/8819809747 is now running in dry-run mode:

• https://github.com/elastic/apm-agent-nodejs/attestations

[trentm]

Moving away from the push-docker.sh script drops support for only sometimes applying the "latest" Docker tag to an image. This handling was used so that we could use the same push-docker.sh script for the current latest major releases (4.x) and for the 3.x maintenance branch.

I suppose this is fine, given that we won't add provenance support to the 3.x branch. At some point if/when tehre is a 5.x major, then we'd need to make sure that a maintenance 4.x release does NOT push the "latest" Docker tag.

[v1v]

Shall we move this topic to a follow-up?

[trentm]

Yes, this PR doesn't need to handle this.

[trentm]

Q: Do we really want to (a) publish attestations (this goes on a public immutable ledger of some sort, IIUC), and (b) docker build and push for every commit to main? My concern is that this is very wasteful.

[v1v]

I'm probably biased, but I prefer to run the release on the main branch with a dry-run or a subset of the jobs; this can detect any breaking changes in workflows.

Therefore, I enabled the provenance for those artefacts - I see it might be useful, and those artefacts will be available and with their attestations.

From the disc space, it should be ok, there is no limitation in our elastic docker registry