Refactor: migrate from deprecated in-toto-golang types to in-toto/attestation module

[st3penta]

The CLI uses deprecated types and sub-packages from github.com/in-toto/in-toto-golang/in_toto that should be replaced with their modern equivalents from github.com/in-toto/attestation (https://github.com/in-toto/attestation/tree/main/go).

Deprecated types currently in use (production code):

• in_toto.Statement -- used in internal/attestation/attestation.go and internal/applicationsnapshot/attestation.go
• in_toto.ProvenanceStatementSLSA02 -- used in internal/attestation/slsa_provenance_02.go and internal/image/fake.go
• in_toto.ProvenanceStatementSLSA1 -- used in internal/attestation/slsa_provenance_v1.go
• in_toto.StatementInTotoV01 -- used across multiple attestation files
• in_toto.StatementHeader, in_toto.Subject -- used via the above types
• Sub-packages in_toto/slsa_provenance/v0.2, in_toto/slsa_provenance/v1, in_toto/slsa_provenance/common

Affected files (production):

• internal/attestation/attestation.go (5 nolint suppressions)
• internal/attestation/slsa_provenance_02.go (1 nolint suppression)
• internal/attestation/slsa_provenance_v1.go (3 nolint suppressions)
• internal/applicationsnapshot/attestation.go (4 nolint suppressions)
• internal/image/fake.go (2 nolint suppressions)

Affected files (tests and acceptance): Numerous test files and the acceptance/ and benchmark/ directories also use the deprecated types.

Migration target: The github.com/in-toto/attestation module (already an indirect dependency at v1.1.2) provides the replacement APIs. After migration, the github.com/in-toto/in-toto-golang dependency can potentially be removed entirely, and all //nolint:staticcheck suppressions can be cleaned up.

Context: A prior commit (011438a, Feb 2026) explicitly deferred this refactoring, adding nolint directives with the note: "Dealing with these deprecations requires a major refactoring, which doesn't fit in this PR."

[fullsend-ai-triage]

🤖 Finished Triage · ✅ Success · Started 10:20 AM UTC · Completed 10:22 AM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-triage]

Triage Summary

This is a well-scoped refactoring task to migrate from deprecated in-toto-golang types to the modern in-toto/attestation module.

Problem: Five production files and numerous test files use deprecated types from github.com/in-toto/in-toto-golang/in_toto, suppressed with //nolint:staticcheck directives since commit 011438a4 (Feb 2026).

Severity: Low — this is technical debt, not a functional defect. The deprecated types still work but may cause compatibility issues as the in-toto ecosystem evolves.

Recommended approach:

1. Promote github.com/in-toto/attestation from indirect to direct dependency
2. Replace deprecated types in production files: attestation.go, slsa_provenance_02.go, slsa_provenance_v1.go, applicationsnapshot/attestation.go, image/fake.go
3. Update test and acceptance code
4. Remove //nolint:staticcheck suppressions
5. Evaluate removal of github.com/in-toto/in-toto-golang from go.mod

Note: This is a multi-module project (root, acceptance/, tools/), so go mod tidy must be run in each affected module.

Proposed verification:

# Verify no deprecation warnings remain
golangci-lint run  # no in-toto staticcheck warnings

# Verify nolint suppressions removed
grep -r 'nolint:staticcheck' internal/attestation/ internal/applicationsnapshot/ internal/image/fake.go
# should return nothing for in-toto related suppressions

# Full regression test
make test && make acceptance

# Check if old dependency can be dropped
go mod graph | grep in-toto-golang

---

Labels: This is a Go refactoring task involving dependency migration, matching the 'go' and existing 'dependencies' labels per repo conventions.