[pyos meta repo] Sign pypi releases using sigstore

[lwasser]

In this issue @webknjaz suggested looking into sigstore as a way to sign releases and add additional security to our builds. myself and @willingc have implemented everything else in that issue short of sigstore. this can be implemented in a future release / effort! Notes on it below:

Finally, there's a way to sign releases with Sigstore that's showcased @ https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#signing-the-distribution-packages (might need adapting to take your trigger into account). This is optional but with the support for uploading GPG signatures removed from the PyPI, it's probably going to be the future replacement so I decided to include a configuration example that also relies on OIDC but doesn't need much configuration.

[blink1073]

@lwasser I'm happy to take on this one. Where would you like this applied, only in this repo?

[lwasser]

@blink1073 that would be amazing! yes!! if you are able to document what you do in applying it that would be super helpful for when we create a tutorial on ci workflows to publish to pypi. thank you!!

[willingc]

@blink1073 Thanks for pitching in! Great to see you over here and at PyCon. ☀️

[blink1073]

Great to see you too @willingc, happy to help!

if you are able to document what you do in applying it that would be super helpful for when we create a tutorial on ci workflows to publish to pypi. thank you!!

Will do!