regexp support for policy subjectAlternativeName verifier

[crazy-max]

relates to docker/actions-toolkit#929

Summary

Adds support for RegExp when verifying policy subjectAlternativeName. This is similar to cosign behavior with --certificate-identity-regexp flag:

https://github.com/sigstore/cosign/blob/10e56727c01bd682da2d536819c1493a84884940/doc/cosign_verify.md?plain=1#L89

--certificate-identity-regexp string                                                       A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.

This is specially useful when we want to match a dynamic subjectAlternativeName when signing using the github actions provider like: https://oci.dag.dev/?image=public.ecr.aws%2Fq3b5f1u4%2Ftest-docker-action%40sha256%3A670d819051bdec9cb7e4789217cd2fae3e4f1359376421ada2af1e4d53f84d3e&jq=.layers%5B0%5D.annotations%5B%22dev.sigstore.cosign%2Fcertificate%22%5D&render=x509

https://github.com/docker/github-builder-experimental/.github/workflows/build.yml@refs/heads/build-reusable-workflow

Where the ref changes based on user invocation.

Release Note

• Regexp support for policy subjectAlternativeName verifier

Documentation

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9529edc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR