docker-hash CLI's Supply Chain Exposed: No Provenance, No Detection for Tampered Releases

The `docker-hash` tool, a critical dependency for countless CI/CD pipelines, currently ships its release artifacts with zero verifiable supply-chain security. As a CLI, Docker image, and GitHub Action, its compromised build process would directly infect every downstream consumer. There is no SLSA attestation, no SBOM, no Sigstore signatures, and no container image attestation. This means a stolen `GITHUB_TOKEN`, a malicious dependency in GoReleaser, or an attacker with repository write access could push tampered binaries to users who have no way to detect the breach.

This issue proposes implementing the industry-standard security baseline for a small Go and OCI image project. The plan includes generating SLSA Build Level 3 provenance, Software Bill of Materials (SBOMs), and keyless Sigstore signatures for all binaries and container images. It also calls for OCI image attestations and layered defenses like OSSF Scorecard checks, Dependency Review, CodeQL analysis, and vulnerability scanning.

The absence of these foundational security measures places the entire user base at risk, turning a single-point compromise into a widespread supply-chain attack. Implementing this provenance framework is not an optional enhancement but a critical requirement to establish trust and integrity for a tool embedded in so many software delivery pipelines.