@actions/attest: convert to an ESM module

[danwkennedy]

Description

We're converting all packages in this repo to ESM modules. @actions/attest is one of leaf packages and can be converted now.

[Copilot]

Pull request overview

This pull request converts the @actions/attest package from CommonJS to ESM (ECMAScript Modules), making it a pure ESM package. This is a breaking change that requires users to migrate from require() to import statements or use dynamic import().

Changes:

• Converts package to ESM-only by adding "type": "module" and configuring proper exports
• Updates all relative imports in source files to include .js extensions as required by ESM
• Upgrades dependencies to ESM-compatible versions (@actions/core ^3.0.0, @actions/github ^9.0.0, @actions/http-client ^4.0.0, @octokit/plugin-retry ^8.0.3)
• Updates TypeScript configuration to use Node16 module resolution

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
packages/attest/package.json	Bumped to v3.0.0, added ESM configuration ("type": "module", exports field), updated dependencies to ESM-compatible versions, removed overrides
packages/attest/package-lock.json	Updated lock file with new dependency versions and their transitive dependencies
packages/attest/tsconfig.json	Configured TypeScript for ESM output with "module": "node16" and "moduleResolution": "node16"
packages/attest/src/provenance.ts	Added .js extensions to all relative imports
packages/attest/src/intoto.ts	Added .js extension to relative import
packages/attest/src/index.ts	Added .js extensions to all relative imports, exported additional types (ArtifactOptions, PackageRegistryOptions, SigstoreInstance)
packages/attest/src/attest.ts	Added .js extensions to all relative imports
packages/attest/RELEASES.md	Added changelog entry for v3.0.0 documenting breaking changes and dependency updates
jest.config.js	Added @actions/attest to module name mapper and transform ignore patterns for test compatibility

Files not reviewed (1)

• packages/attest/package-lock.json: Language not supported

Comments suppressed due to low confidence (1)

packages/attest/RELEASES.md:8

• The release notes should also include the version bumps for @actions/github (from ^7.0.0 to ^9.0.0) and @octokit/plugin-retry (from ^6.0.1 to ^8.0.3) to provide a complete changelog for this release.

- Bump `@actions/core` to `^3.0.0`
- Bump `@actions/http-client` to `^4.0.0`

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The dependency updates introduce a minimum Node.js version requirement of 20 (all @octokit packages now require Node >= 20). This breaking change should be documented in the RELEASES.md file to inform users that this package now requires Node.js 20 or higher.

Suggested change

	- CommonJS consumers must use dynamic `import()` instead of `require()`
	- CommonJS consumers must use dynamic `import()` instead of `require()`
	- **Breaking change**: This package now requires Node.js 20 or higher (due to dependency updates)