chore: add slsa provenance to release assets

[zhzhuang-zju]

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR includes the following two things in total:

• remove unused workflow step
  

  karmada/.github/workflows/release.yml

  Lines 36 to 39 in 71de3dc

  	- name: Making helm charts
  	env:
  	VERSION: ${{ github.ref_name }}
  	run: make package-chart

• add slsa provenance to release assets
  This PR will generate a non-forgeable attestation to the artifacts' digests using the identity of the GitHub workflow. This can be used to create a positive attestation to a software artifact coming from karmada repository.
  That means that once karmada users verify the artifacts they have downloaded they can be sure that the artifacts were created by karmada repository's workflow and haven't been tampered with.
  This time a total of four slsa provenance are introduced as follows:

  1. karmada-charts.intoto.jsonl # used to verify charts artifact
  2. karmada-cli.intoto.jsonl # used to verify karmada cli artifacts
  3. karmada-crds.intoto.jsonl # used to verify crds artifact
  4. karmada-sbom.intoto.jsonl # used to verify sbom artifact

How to use them:
take karmada-cli.intoto.jsonl as example:
Attestation karmada-cli.intoto.jsonl can be used with slsa-verifier to verify that a CLI binary was generated using Karmada workflows on GitHub and ensures it was cryptographically signed.

# download `karmada-cli.intoto.jsonl`, `karmadactl-darwin-arm64.tgz ` and `kubectl-karmada-linux-arm64.tgz` from one of karmada's release assests.
$  fileCar slsa-verifier verify-artifact karmadactl-darwin-arm64.tgz \verify
  --provenance-path karmada-cli.intoto.jsonl \
  --source-uri github.com/karmada-io/karmada \
  --source-tag v1.10.0

$  fileCar slsa-verifier verify-artifact kubectl-karmada-linux-arm64.tgz \verify
  --provenance-path karmada-cli.intoto.jsonl \
  --source-uri github.com/karmada-io/karmada \
  --source-tag v1.10.0

Which issue(s) this PR fixes:
Parts of #5048

Special notes for your reviewer:
local test can refer to: https://github.com/zhzhuang-zju/karmada/actions/runs/9888187096
I will update the verification method to https://karmada.io/docs/administrator/security/verify-artifacts if this pr get merged and the next release version is released

Does this PR introduce a user-facing change?:

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.36%. Comparing base (71de3dc) to head (de289c9).
Report is 154 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5178      +/-   ##
==========================================
+ Coverage   28.22%   28.36%   +0.14%     
==========================================
  Files         632      632              
  Lines       43566    44070     +504     
==========================================
+ Hits        12296    12500     +204     
- Misses      30371    30664     +293     
- Partials      899      906       +7     

Flag	Coverage Δ
unittests	28.36% <ø> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[RainbowMango]

/assign

[RainbowMango]

Please fix comments and rebase.

[RainbowMango]

/lgtm
/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• .github/workflows/OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment