Support source hashes and attestation

Currently you can specify the binary hash of a WASI file. It would be neat if you could use Github's attestation feature to specify the repo commit, and use an attestation to confirm the binary was built from it.