Policy controller cannot work with OCI 1.1 stored attestations

[falcorocks]

Google cloud build attestations are stored using the OCI 1.1 spec, which introduces the referrer API as the new canonical way to link related artifacts such as images and their provenance attestations. As of now, the policy controller is unable to discover attestations stored this way, it can only discover attestations stored with the tag <subject digest>.att. If attestations exist but are stored with the OCI 1.1 method, then policy controller gives up with a no matching attestations.

In the example below I demonstrate how to reproduce this problem with the public image us-docker.pkg.dev/cloudrun/container/hello@sha256:ee5d023051b0f808d0acb7880dec05ee0fc4f59667a529218ecf8159f1e72a45. The 2 policies below are available here.

We only need to instruct the controller to discover attestations using the OCI 1.1 spec, for instance if a flag is passed. I've implemented this in #1894