Support artifact attestations.

[jsirois]

There are two parts to this:

• [x] Publish science binaries with artifact attestation (see https://github.com/a-scie/ptex/pull/192 and https://github.com/a-scie/jump/pull/220 for examples).
• [ ] Support verification of attested artifacts during science lift build, including ptex, the scie-jump and any Provider artifacts that use attestation.

[jsirois]

Noting that validating a GitHub attestation requires a GitHub login currently to retrieve the attestation bundle from GitHub Attestations (step 2 below):

:; curl -sL https://github.com/pex-tool/pex/releases/download/v2.7.0/pex -o /tmp/pex
:; curl -sL -H "Authorization: Bearer $GITHUB_PAT" https://api.github.com/users/pex-tool/attestations/sha256:$(sha256sum /tmp/pex | cut -d' ' -f1) | jq -c .attestations[].bundle > pex.intoto.jsonl
:; sigstore verify github --repository pex-tool/pex --bundle pex.intoto.jsonl /tmp/pex
OK: /tmp/pex