feat(cosign): split sign and attest opts

| Input / Variable                                          | Description                                  | Default value         |

| --------------------------------------------------------- | -------------------------------------------- | --------------------- |

| `cosign-strategy` / `DOCKER_COSIGN_STRATEGY`              | Determines when images should be signed with [cosign](https://github.com/sigstore/cosign (`never`: disabled, `onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `cosign-enabled` / `DOCKER_COSIGN_ENABLED` takes precedence | `never` |

| `cosign-opts` / `DOCKER_COSIGN_OPTS`                      | Options for cosign | `--tlog-upload=false` |

| `cosign-opts` / `DOCKER_COSIGN_OPTS`                      | Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command | `--tlog-upload=false` |

| `cosign-attest-opts` / `DOCKER_COSIGN_ATTEST_OPTS`        | Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command

 | `--tlog-upload=false` |

| `cosign-dist-url` / `DOCKER_COSIGN_DIST_URL`              | Url to the `linux-amd64` binary of Cosign to use (ex: `https://github.com/sigstore/cosign/releases/download/v2.5.0/cosign-linux-amd64`)<br/>_When unset, the latest version will be used_ | _none_ |

| :lock: `cosign-private-key` / `DOCKER_COSIGN_PRIVATE_KEY` | Private key used for signing the Docker image and the attestation | _none_ |

| :lock: `cosign-password` / `COSIGN_PASSWORD`              | Password of the private key | _none_ |

        },

        {

          "name": "DOCKER_COSIGN_OPTS",

          "description": "Options for cosign",

          "description": "Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command",

          "default": "--tlog-upload=false",

          "advanced": true

        },

        {

          "name": "DOCKER_COSIGN_ATTEST_OPTS",

          "description": "Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command",

          "default": "--tlog-upload=false",

          "advanced": true

        },

      - always

      default: never

    cosign-opts:

      description: Options for cosign

      description: Options for [`cosign sign`](https://docs.sigstore.dev/cosign/signing/signing_with_containers/) command

      default: --tlog-upload=false

    cosign-attest-opts:

      description: Options for [`cosign attest`](https://docs.sigstore.dev/cosign/verifying/attestation/) command

      default: --tlog-upload=false

    cosign-dist-url:

      description: |-

  COSIGN_YES: "true" # skip confirmation prompts for non-destructive operations

  DOCKER_COSIGN_STRATEGY: $[[ inputs.cosign-strategy ]]

  DOCKER_COSIGN_OPTS: $[[ inputs.cosign-opts ]]

  DOCKER_COSIGN_ATTEST_OPTS: $[[ inputs.cosign-attest-opts ]]

  DOCKER_COSIGN_DIST_URL: $[[ inputs.cosign-dist-url ]]

  # default: one-click publish

        log_info "Attaching attested SBOM to ${DOCKER_SNAPSHOT_IMAGE}..."

        install_cosign

        configure_cosign_private_key

        $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE}

        $docker_cosign attest --key ${docker_cosign_private_key} ${DOCKER_COSIGN_ATTEST_OPTS} --predicate reports/docker-sbom-${basename}.cyclonedx.json ${DOCKER_SNAPSHOT_IMAGE}

      fi

  artifacts:

    name: "SBOM for docker from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"