upload: add attestations to PackageFile

[woodruffw]

WIP, needs more tests.

Summary of changes:

• Updates _make_package to accept an attestations parameter, which receives the list of attestations for the distribution (from _split_inputs).
• When --attestations is set and attestations is nonempty, the supplied attestations are passed into the constructed PackageFile.
• Internally, PackageFile reads each attestation as JSON and compounds it onto a JSON array to send as the attestations field during upload, per PEP 740.

See #1094.

[woodruffw]

Should be good for another look! I've rounded out the coverage as well.