Function collect_pr_dependency_signatures 

pub fn collect_pr_dependency_signatures(
    client: &GitHubClient,
    owner: &str,
    repo: &str,
    head_sha: &str,
    changed_files: &[String],
) -> EvidenceState<Vec<DependencySignatureEvidence>>

Collect dependency signature evidence for a PR by checking which lock files are present in the repository and parsing them for dependency information.

Currently supports:

• npm: npm audit signatures --json for Sigstore provenance verification
• Cargo: Cargo.lock checksum parsing (checksum-pinned, not cryptographic signature)