chore: make oci11 referrer selection deterministic

[1seal]

• make oci 1.1 referrer selection deterministic by sorting descriptors by digest before selecting the last result
• add unit tests to ensure selection is order-independent and does not mutate inputs
• note: this does not define the “correct” semantics for multiple matching referrers; please advise whether cosign should fail closed, verify all, or prefer a specific key (e.g. validated annotations)

refs #4655

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.16%. Comparing base (2ef6022) to head (5298c78).
⚠️ Report is 638 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4656      +/-   ##
==========================================
- Coverage   40.10%   36.16%   -3.94%     
==========================================
  Files         155      220      +65     
  Lines       10044    12431    +2387     
==========================================
+ Hits         4028     4496     +468     
- Misses       5530     7241    +1711     
- Partials      486      694     +208     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.