twine/upload: attestations scaffolding

[woodruffw]

Initial work towards #1094.

Summary:

• Adds an --attestations flag (default False) and propagates its value into Settings
• Refactors the current input splitting logic into a separate _split_inputs helper, which returns dists, signatures, and attestations as separate data structures
• Unit tests for all of the above

I've tried to keep this change small (~50 lines without the tests), so --attestations is currently a no-op. But if you'd prefer it do something substantive, I can add the "fail if the user passes --attestations but one or more files are missing attestations" behavior to this changeset 🙂

[woodruffw]

3.8 is failing with:

types: commands[0]> mypy --html-report mypy --txt-report mypy twine
You must install the lxml package before you can run mypy with `--html-report`.
You can do this with `python3 -m pip install lxml`.
Traceback (most recent call last):

and the integration suite is failing with:

>       assert dist.name == f"twine-sampleproject-3.0.0.post{tag}.tar.gz"
E       AssertionError: assert 'twine_sample...249779.tar.gz' == 'twine-sample...249779.tar.gz'
E         
E         Skipping 42 identical trailing characters in diff, use -v to show
E         - twine-samplepro
E         ?      ^
E         + twine_samplepro
E         ?      ^

...which both look unrelated. I can try my hand at both in separate PRs today 🙂

Edit: #1096

[woodruffw]

This should be good to go again! Integration is still failing due to 503s from TestPyPI, but the other test issues have been fully addressed 🙂