How to implement reproducibility/trust

[thejcannon]

The plan here is to provide as much information as possible to give users trust in the artifacts (that they are faithful compilations of the upstream sdist, and neither I nor anyone else has tampered with them)

1. Use a lockfile for both build and cibuildwheel
2. (Investigate reproducibility of cibuildwheel
3. Log/upload the Workflow YAML itself
4. Log/upload information about the upstream sdist (URL, sha256, etc...)
5. Attestations: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
6. (on the cheeseshop side): https://peps.python.org/pep-0740/

[thejcannon]

(credit @woodruffw for bullets 5 and 6)