Document PEP740 attestations

[QuLogic]

What's the problem this feature will solve?
gh-action-pypi-publish is now advertising that you can use PEP740 attestations, that are now on by default. This is not documented or explained anywhere.

Describe the solution you'd like
Neither https://docs.pypi.org/trusted-publishers/using-a-publisher/ nor https://docs.pypi.org/trusted-publishers/security-model/ describe PEP740 or what attestations do.
https://pypi.org/help/ does not mention it either.

I don't see any indication how to upload attestations (though I understand it's on by default now, so probably I don't need to do anything.) I also don't see any indication of where the attestations go and how to verify that they exist and are correct.

[di]

This is in progress with #16398.

Closing as a duplicate of #15871.

[QuLogic]

Ah sorry, I looked for "PEP740", which apparently didn't catch "PEP 740".