Add SLSA provenance statement capability to Rails backend (job artifact archive only)

Why are we doing this work

As part of implementing SLSA provenance statement generation in the Rails backend (&17702), we're making the Rails backend capable of generating a provenance statement for a given Ci::Build model, and to render that statement as a JSON document.

This is NOT a behavior change. Follow-up issues of the same parent epic will cover calling provenance generation from a worker, and uploading the statement to object statemetn.

The scope is limited to job artifact archives. Producing a provenance for the individual job artifacts is out of scope.

Non-functional requirements

• Documentation:
  • SLSA provenance statement format documented as part of Document GitLab SLSA provenance, link from buil... (#426764 - closed).
  • UX to enable provenance statement generation is NOT documented. Right now it's enabled by a feature flag. UX to be defined in [Discussion] UX to enable SLSA provenance gener... (#547903 - closed).
• Feature flag (optional):
  • Provenance statement generation is behind a feature flag.
  • However, the issue is about adding capability to the Rails backend. Behavior doesn't change.
  • Update flag rollout issue with flag name: [FF] `slsa_provenance_statement` -- Roll out fe... (#547866)
• Performance:
  • Check that provenance generation consumes a reasonable amount of resources compared to other tasks happening when a CI/CD job finishes. Example: artifact report ingestion.
  • Ensure that complexity is constant or linear. Inputs: number of artifacts, number of CI/CD variables.
• Testing:
  • Validate output against JSON schema of in-toto statement v1 with SLSA provenance predicate .
  • Implement unit tests (rspec).

Implementation plan

This PR will be implemented based on the PoC provided by @darbyfrey here.

Create a new serialization framework for SLSA provenance statements.

This object could later be modified to perform attestations.

1. Create a model, tentatively Ci::Slsa::ProvenanceStatement.
2. Make the object JSON serializable. https://api.rubyonrails.org/classes/ActiveModel/Serialization.html
3. Create new tests for the new model.

Create a new method within Ci::Build, tentatively slsa_attestation, that returns the Ci::Slsa::ProvenanceStatement that corresponds to it.

The new endpoint would be accessible as follows: Ci::Build.find(1337).slsa_attestation.

1. Create a method within the Ci::Build model.
2. Ensure the method populates the field as documented in this related issue. #536022 (closed)
3. Create unit tests for the new method.

Verification steps

• Manually trigger a local build and inspect the attestation object by interacting with Ci::Build.to_slsa.
• Ensure documentation is ready to go #426764 (closed)

Further reading

• Spec: https://slsa.dev/spec/v1.1/provenance
• ADR: gitlab-com/content-sites/handbook!13413 (diffs, comment 2508568705)
• AD: #537049 (closed)
• Runner helper: https://docs.gitlab.com/ci/runners/configure_runners/#artifact-provenance-metadata
• CI/CD component: #538030 (comment 2535567071)
• PoC: #539007 (closed)
• PR1: !190882 (closed)
• PR2: !192851