ci: Add GitHub artifact attestations to package distribution

[matthewfeickert]

• Add generation of GitHub artifact attestations to built sdist and wheel before upload. c.f.:
  • https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
  • https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

[matthewfeickert]

The hist v2.7.3 release now has attestations: https://github.com/scikit-hep/hist/attestations

$ python -m pip --no-cache-dir download --no-deps hist
Collecting hist
  Downloading hist-2.7.3-py3-none-any.whl.metadata (16 kB)
Downloading hist-2.7.3-py3-none-any.whl (40 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.6/40.6 kB 1.3 MB/s eta 0:00:00
Saved ./hist-2.7.3-py3-none-any.whl
Successfully downloaded hist
$ gh attestation verify hist*.whl --repo scikit-hep/hist
Loaded digest sha256:635aaa69bdbde57734feb5965762295669da44a20b11321143ae9301652c9a23 for file://hist-2.7.3-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:635aaa69bdbde57734feb5965762295669da44a20b11321143ae9301652c9a23 was attested by:
REPO             PREDICATE_TYPE                  WORKFLOW                                 
scikit-hep/hist  https://slsa.dev/provenance/v1  .github/workflows/cd.yml@refs/tags/v2.7.3