GA readiness

[crazy-max]

• Auth scope support
  • Buildx 0.31.0 auth: add option to load docker config for specific repo/scope buildx#3562
  • Login Action Add scope input to set scopes for the authentication token login-action#912
• Verify external dependencies
  • Buildx binary
    • Pin version pin buildx and buildkit versions #37
    • Sign binaries ci: use docker github builder to build bin image and binaries buildx#3520
    • Verify buildx binary signature on install in actions-toolkit
  • BuildKit image moby/buildkit
    • Pin image pin buildx and buildkit versions #37
    • Sign image ci: use docker github builder to build binaries and images moby/buildkit#6388
    • Verify BuildKit image signature in reusable workflow
  • BuildKit Syft scanner image (SBOM) docker/buildkit-syft-scanner
    • Pin image pin buildkit syft scanner image #76
    • Sign image ci: use docker github builder to build the image buildkit-syft-scanner#153
    • Built-in signature verification of the image in BuildKit or in the reusable workflow using cosign
  • Cosign binary
    • Verify cosign binary signature cosign(install): verify binary signature with keyless verification bundle actions-toolkit#904
  • Binfmt image (QEMU action) tonistiigi/binfmt
    • Pin image pin binfmt image #79
    • Sign image ci: use docker github builder to build images and binaries tonistiigi/binfmt#279
    • Auth scope support to avoid rate limitation with Docker Hub
    • Verification in the reusable workflow using cosign
  • GHA cache blobs sign github actions cache blobs #60
  • Pin GitHub Actions pin all actions #53
  • Trusted publishing and signing for actions-toolkit module ci: use trusted publishing to publish our package actions-toolkit#906

cc @tonistiigi @colinhemmings