chore: next step in container image publishing

[tarilabs]

recommend:

• use docker/build-push-action for multi-arch in the ci/cd GHA (gives us rich metadata)
• using the anchore/sbom-action to produce the spdx sbom
• Attest, not Attach, the sbom with cosign along with image signature (this would ensure also the sbom is signed)

following up on https://github.com/kubeflow/model-registry/pull/1790#pullrequestreview-3374876556