Consider naming the generated attestation file attestation.intoto.json or allow users to configure it

[edgarrmondragon]

This would make it slightly easier for projects to comply with OSSF's Scorecard: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#signed-releases.

The alternative at the moment is for users to override the asset name the file is uploaded with to the release.

---

I can start a PR if y'all like the idea. If we make it configurable, we'd probably want to follow up with a corresponding PR in actions/attest-build-provenance.

[SRv6d]

Doesn't intoto.jsonl use a different format/schema? I think the scorecard doesn't actually verify attestations but only checks for file existence, meaning even incorrect attestation files/formats would lead to a positive result.