Support outputting unsigned provenance

[asraa]

In case a user wants to create GitHub workflow provenance and then attach that to a container image using cosign CLI. By doing this, the attached container image would include rekor bundle and certificate in the cosign simple signing schema.

e.g.

$ ./slsa-github-generator attest --unsigned --output predicate.json

$ ./cosign attest --predicate predicate.json --type intoto gcr.io/asra-ali/hello-ko

The generic provenance builder should only output the predicate

cc @laurentsimon

[ianlewis]

Would --unsigned imply --predicate should be set?

What would happen in this case where --output is not given? Would the unwrapped intoto statement be generated into the default --signature path?

$ slsa-github-generator attest --unsigned

I'm kind of thinking that maybe something like this makes more sense?

$ slsa-github-generator attest --signature="" --predicate predicate.json

or maybe get rid of the default signature path and require folks to specify --signature or --predicate/--output or both?