docs: update provenance tutorial

[benmss]

Summary

This PR updates the npm provenance discovery tutorial to include the newer discovery methods: PyPI and GitHub.

Description of changes

• The tutorial is updated to provide examples of provenance discovery for PyPI and GitHub using the toga PyPI library, which has provenance of either type available for discovery depending on the exact version specified.
• For GitHub attestation, a small code update is included to allow the repository URL and commit digest to be found from provenance.
• The npm part of the tutorial is updated to use a newer version of the semver library 7.7.2

Removal of verify-provenance and Download Changes

As part of this PR, the verify-provenance command line argument has been removed, making this action occur by default once again. This command was originally introduced due to concerns about downloading overly large files, thereby slowing down analyses. Instead of this, a file size limit has been imposed for download operations that were previously using the Stream functionality.
In cases where the size is not known before the download begins (most cases), the download will terminate when the streamed data exceeds the limit. This limit can be configured in the defaults.ini and defaults to 10mb. This is not sufficient for two of our existing integration tests and they have been adjusted accordingly.

[behnazh-w]

Please add integration tests for the toga package with a tutorial label. We make sure to have an integration test for all of our tutorials and catch changes/issues.

[behnazh-w]

Suggested change

	This image shows that both checks have passed, confirming that the repository URL and commit digest from the provenance match those associated with the user provided PURL. To access the full report use the following:
	This image shows that all three checks have passed, confirming that the repository URL and commit digest from the provenance match those associated with the user provided PURL. To access the full report use the following command:

[behnazh-w]

Suggested change

	As part of this analysis, Macaron ends up downloading three different asset files: The `attestation asset <https://api.github.com/repos/urllib3/urllib3/releases/assets/84708804>`_, the artifact's Python wheel file, and the artifact's compressed archive. By examining the attestation, Macaron can verify the two other files. This analysis can then report that provenance exists, and is verified.
	As part of this analysis, Macaron ends up downloading three different asset files: The `attestation asset <https://api.github.com/repos/urllib3/urllib3/releases/assets/84708804>`_, the artifact's Python wheel file, and the source distribution tarball file. By examining the attestation, Macaron can verify the two other files. This analysis can then report that provenance exists, and is verified.

[behnazh-w]

Suggested change

	When attestation is provided to Macaron as input, it must be of one of the support types in order to be accepted. Support is defined by the ``predicateType`` and ``buildType`` properties within an attestation.
	When attestation is provided to Macaron as input, it must be of one of the supported types in order to be accepted. Support is defined by the ``predicateType`` and ``buildType`` properties within an attestation.