Scan-logic | Update vat stage

• Add scan-logic as stage dependency to access env file

• Update vat stage

  • Push to VAT like normal
  • Provide different build and scan timestamps to VAT?
  • As long as the pipeline/job ID is new, VAT will consider this a "new" scan. A rescan should NOT use the old job id somehow.
  • Still push new VAT attestation with cosign
  • Old SBOM attestations need to be retained. They can be kept with their old attachment signatures, or recreated as new attestations. Whichever.
  • Future TODO though, today these are attachments, not attestations
    • The cosign .sig image signature does NOT need to be resigned

• Update unit tests as necessary

Note:

Make sure the correct (old or new) digest is used when appropriate. Also, any timestamps: use the original build timestamp when appropriate.

During development, set FORCE_SCAN_NEW_IMAGE=true at the dsop/ group level. This allows us to incrementally merge code into ironbank-pipeline without breaking the pipeline or requiring one very large MR.