🌱 add Artifact-Integrity check for verifying release artifact authenticity

[BB-24]

Introduces an Artifact-Integrity check to verify authenticity of release artifacts using checksums or signatures.
Helps prevent tampered or malicious distributions in the software supply chain.

What kind of change does this PR introduce?

• Feature (new check added)

What is the current behavior?

Scorecard does not evaluate whether release artifacts include integrity verification mechanisms such as checksums or signatures. This leaves a gap in detecting risks related to tampered or malicious release artifacts.

What is the new behavior (if this is a feature change)?

This PR introduces a new check Artifact-Integrity that:

• Analyzes release assets for integrity verification files (e.g., checksums, signatures, provenance)

• Correlates verification files with binary artifacts

• Applies recency-based weighting to prioritize recent releases

• Scores projects based on the proportion of releases that provide integrity guarantees

• Returns inconclusive results when no analyzable releases are found

• Tests for the changes have been added (for bug fixes/features)

Special notes for your reviewer

• Implements proportional scoring with recency-based weighting
• Handles edge cases including:
  • source-only releases
  • empty or missing assets
  • partial verification coverage
  • case-insensitive matching of asset names
• Includes both unit and e2e tests following existing Scorecard patterns
• Documentation updated via checks.yaml and generated docs