Push SBOMs with oras

Summary

In order to work around the current limitations of cosign attach --sbom, which currently only supports pushing a single SBOM without combining it with existing SBOMs, we should incorporate the use of oras to push multiple artifacts at once while combining them into a single SBOM artifact

Example

oras push localhost:5000/golang:sha256-5a865e8658ea586ae8658655ea865ca86f8e65fe6 golang-1-17-cyclonedx.xml:application/vnd.cyclonedx golang-1-17-syft-json.json:application/vnd.syft+json