fix: resolve builtin variables in PackageInternal (prep, env)

[leodido]

Summary

Resolve builtin variables (${__pkg_version}, ${__git_commit}, ${__git_commit_short}) in PackageInternal fields (prep, env), not just in Config.

Part of https://linear.app/ona-team/issue/CLC-2147/fix-non-deterministic-version-across-packages

Problem

resolveBuiltinVariables() only resolved builtin variables in Config, but FindUnresolvedArguments() checks both PackageInternal and Config. This caused builtin variables in prep or env fields to be flagged as unresolved, failing the build with:

cannot build with unresolved argument "${__git_commit_short}": use -D__git_commit_short=value to set the argument

Example BUILD.yaml that would fail:

packages:
  - name: app
    type: yarn
    prep:
      - ["/bin/bash", "prepare.sh", "${__pkg_version}"]  # This was NOT resolved
    config:
      commands:
        build: ["./package.sh", "${__git_commit_short}"]  # This WAS resolved

Solution

Resolve builtin variables in PackageInternal before resolving in Config.

Testing

• Added TestResolveBuiltinVariablesInPackageInternal test
• All existing tests pass

[leodido]

Root cause found and fixed!

When LEEWAY_DEFAULT_CACHE_LEVEL=remote-pull is set (SLSA mode), the normal upload path in s3.go is skipped. Instead, sign-cache handles uploads. However, sign-cache only uploaded:

• Artifacts (.tar.gz)
• Attestations (.att)

It did NOT upload SBOM files (.sbom.cdx.json, .sbom.spdx.json, .sbom.json).

This caused SBOM vulnerability scans to fail because SBOM files were generated locally but never uploaded to the remote cache.

Fix: Modified UploadArtifactWithAttestation in pkg/leeway/signing/upload.go to also upload SBOM sidecar files.

Ready for a new RC tag (v0.16.0-rc13).