build provenance stmt from OIDC claims

Signed-off-by: Brian DeHamer <bdehamer@github.com>

packages/attest/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actions/attest",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Actions attestation lib",
   "keywords": [
     "github",
@@ -37,13 +37,19 @@
   "devDependencies": {
     "@sigstore/mock": "^0.6.5",
     "@sigstore/rekor-types": "^2.0.0",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/make-fetch-happen": "^10.0.4",
+    "jose": "^5.2.3",
     "nock": "^13.5.1"
   },
   "dependencies": {
+    "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.0",
+    "@actions/http-client": "^2.2.1",
     "@sigstore/bundle": "^2.2.0",
     "@sigstore/sign": "^2.2.3",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.1.0",
     "make-fetch-happen": "^13.0.0"
   }
 }