add skip_upload capability to contract

[JeffResc]

Description

This PR introduces the ability to control whether materials are uploaded to CAS directly from workflow contracts. This is useful for scenarios where artifacts are large and already stored elsewhere, or when you only need to attest to their existence without storing them.

Contracts can now specify skip_upload: true on individual materials to skip uploading them to CAS while still recording their metadata (digest and filename) in the attestation.

Example Usage

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: my-workflow
spec:
  materials:
    - name: large-binary
      type: ARTIFACT
      skip_upload: true  # Only record metadata, don't upload to CAS
    - name: sbom
      type: SBOM_CYCLONEDX_JSON
      # skip_upload defaults to false - normal upload behavior

Features

Contract-controlled: Platform administrators define upload behavior in contracts
Metadata preservation: Even when upload is skipped, digest and filename are recorded in attestations
Backward compatible: Defaults to false (upload enabled) - existing contracts work unchanged
Flexible: Can be set per-material, allowing fine-grained control within a single workflow

Use Cases

• Large artifacts (multi-GB files) where CAS storage isn't practical
• Artifacts already stored in external systems
• Materials where attestation metadata is sufficient without full content storage
• Reducing storage costs for high-volume workflows

Technical Details

• Added skip_upload boolean field to Material proto definition
• Updated material crafter to honor skip setting from contract
• When skipped, materials have UploadedToCas = false and only metadata is captured
• CONTAINER_IMAGE and STRING types remain unaffected (they never upload to CAS)

Related Issues

Resolves #2522

[jiparis]

Thanks, just a comment in the proto definition

[migmartri]

LGTM in general.

My only comment would be if you could add a testCase in at least one of the material types (i.e TestSARIFCraft) we have today to make sure this new path is covered?

[JeffResc]

My only comment would be if you could add a testCase in at least one of the material types (i.e TestSARIFCraft) we have today to make sure this new path is covered?

Yep, just added one for SARIF and CycloneDX

[migmartri]

LGTM!

[migmartri]

@JeffResc it would be nice if you could help us add some docs about this feature, maybe here

That could talk about the two modes of container image attestation, by reference and offline.

and how to make it offline using some of the tools you put here in the comments

What do you think?