Add repository_id and actor_id to provenance

[laurentsimon]

There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.

We can protect agains this by recording the repository_id, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token

This could also be added to Fulcio's certificate generation. @asraa shall we start a threat about this on sigstore repos?

For the time being, let's record it as part of the invocation, and provide some examples in the README how to extract it, e.g. via ja

[laurentsimon]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/2419171690
Workflow name: go schedule main SLSA3 config-noldflags
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/
Trigger: schedule
Branch: main
Date: Wed Jun 1 04:02:50 UTC 2022

[laurentsimon]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/2420591002
Workflow name: go schedule main SLSA3 adversarial build provenance
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/
Trigger: schedule
Branch: main
Date: Wed Jun 1 09:30:17 UTC 2022

Tests are passing now. Closing this issue.