verify updater container image signatures using cosign

[JamieMagee]

Now that the updater container images are signed as part of https://github.com/dependabot/dependabot-core/issues/9546, we need to verify those signatures when using those container images.

This change allows us to verify that the container images we pull were build by a GitHub Actions workflow in the main branch of https://github.com/dependabot/dependabot-core.

The code is equivalent to running:

$ cosign verify \
	ghcr.io/dependabot/dependabot-updater-<ecosystem>:latest \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity https://github.com/dependabot/dependabot-core/.github/workflows/images-latest.yml@refs/heads/main

TODO:

• [ ] See if it's possible to decrease the number of dependencies this change adds

Related to #308

[JamieMagee]

OpenTelemetry containers are also signed with cosign:

$ cosign verify \
  docker.io/otel/opentelemetry-collector-contrib:latest \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity https://github.com/open-telemetry/opentelemetry-collector-releases/.github
/workflows/base-release.yaml@refs/tags/v0.99.0

Verification for index.docker.io/otel/opentelemetry-collector-contrib:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
...