multi-arch-build with docker/github-builder

[mathieu-benoit]

Use https://github.com/docker/github-builder:

This workflow provides a trusted BuildKit instance and generates signed SLSA-compliant provenance attestations, guaranteeing the build happened from the source commit and all build steps ran in isolated sandboxed environments from immutable sources. This enables GitHub projects to follow a seamless path toward higher levels of security and trust.

The container image signing verification (cosign/sigstore) is now done with this docker/github-builder 🥳

cosign verify \
    --experimental-oci11 \
    --new-bundle-format \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-identity-regexp ^https://github.com/docker/github-builder/.github/workflows/build.yml.*$ \
    ghcr.io/score-spec/score-compose@sha256:67413511783c072aad1131499d6abf8ffc32ffaa815b41fc4c436eb6ea409d06 \
    | jq .

Verification for ghcr.io/score-spec/score-compose@sha256:67413511783c072aad1131499d6abf8ffc32ffaa815b41fc4c436eb6ea409d06 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/score-spec/score-compose@sha256:67413511783c072aad1131499d6abf8ffc32ffaa815b41fc4c436eb6ea409d06"
      },
      "image": {
        "docker-manifest-digest": "sha256:67413511783c072aad1131499d6abf8ffc32ffaa815b41fc4c436eb6ea409d06"
      },
      "type": "https://sigstore.dev/cosign/sign/v1"
    },
    "optional": {}
  }
]

[github-actions]

Overview

Image reference	score-compose:latest	score-compose:latest
- digest	52b803ba4af3	e00d4fada17b
- tag	latest	latest
- provenance	fcc6bb0	bbc2305
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	5.8 MB	5.8 MB (+3 B)
- packages	54	54

Policies (0 improved, 0 worsened)

Policy Name	score-compose:latest	score-compose:latest	Change	Standing
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	✅	✅		No Change
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	✅		No Change
No unapproved base images	✅	✅		No Change
Supply chain attestations	✅	✅		No Change
Valid Docker Hardened Image (DHI) or DHI base image	⚠️ 2	⚠️ 2		No Change

Packages and Vulnerabilities (1 package changes and 0 vulnerability changes)

• ♾️ 1 packages changed
• 53 packages unchanged

Changes for packages of type golang (1 changes)

	Package	Version score-compose:latest	Version score-compose:latest
♾️	github.com/score-spec/score-compose	0.0.0-20260202211020-fcc6bb04c47d+dirty	0.0.0-20260207001601-bbc2305aeef1+dirty