feat: add attach attestation command

[Jaydeep869]

What this PR does / why we need it

Description
Adds the capability to attach attestations to an OCI artifact using the OCI referrers API, implementing the witness attach attestation command. This enables developers and CI/CD systems to securely attach standard attestation formats (in-toto/DSSE) directly to a container image, making them discoverable alongside the artifact in the registry.

The command supports:

• Loading one or multiple local attestation json files using the --attestation (-a) flag.
• Resolving the OCI artifact reference using go-containerregistry.
• Pushing the attestation as a referrer image layer pointing its Subject at the original image descriptor with the application/vnd.in-toto+json media type.

Example usage:

witness attach attestation --attestation build-attestation.json ubuntu:latest

Which issue(s) this PR fixes (optional)

Fixes #602

Acceptance Criteria Met

• Docs changes if needed
• Testing changes if needed
• All workflow checks passing (automatically enforced)
• All review conversations resolved (automatically enforced)
• DCO Sign-off

Special notes for your reviewer:
I used google/go-containerregistry's remote.Write and mutate.Subject methods to create identical referrer representations of the local attestation payload. This mirrors the behavior of tools like cosign attach attestation securely uploading verifiable subject matter without requiring external CLIs.

[netlify]

✅ Deploy Preview for witness-project ready!

Name	Link
🔨 Latest commit	209a3c6
🔍 Latest deploy log	https://app.netlify.com/projects/witness-project/deploys/69dce1ee15dd140008cbe8dd
😎 Deploy Preview	https://deploy-preview-763--witness-project.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Jaydeep869]

hey @jkjell @colek42 , can you review this PR when you have time.

[manzil-infinity180]

@Jaydeep869
Refer to this pr - #661 and comment - #661 (comment)

[Jaydeep869]

Hey @manzil-infinity180, thanks for pointing out #661! I really appreciate your previous work on it, as it helped set a great foundation for this.

I reviewed the maintainers' feedback on that PR and #602, and carefully added their requested changes into this implementation to resolve the previous blockers:

• Variadic Arguments & Flags: Added the ability to pass multiple attestations natively (witness attach attestation att1.json att2.json --image-uri my-image), removing the repeatable --attestation flag for stricter alignment with modern CLI practices, as suggested by @kriscoleman.
• Subject Mismatch Guardrails: Parsed the underlying DSSE envelopes and decoded the in-toto payloads to cryptographically verify that the subject digest directly matches the OCI --image-uri target digest before attaching to the registry, effectively preventing accidental miss attachments as prescribed by @colek42.
• Verification Override: Added the --skip-verification flag to safely bypass this guardrail manually if needed.
• Comprehensive Unit Tests: Created attach_test.go and implemented end to end simulated OCI tests running an in memory httptest registry to accurately test attestation pushes, success paths, and validation failure paths (unsupported payloadType, missing signatures, and mismatched subjects), also requested by @colek42.

I believe this covers all the open gaps from #661! Let me know if you spot anything else we can refine and fix it.