ci: enable Sigstore attestations for PyPI releases (#21)

* test gpg

* ci: enable Sigstore attestations for PyPI releases

Add attestations: true to pypa/gh-action-pypi-publish and
attestations: write permission so each release generates
verifiable Sigstore provenance tied to the GitHub Actions workflow.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: JRemitz

.github/workflows/release.yml

@@ -15,6 +15,7 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
 
     steps:
       - uses: actions/checkout@v4
@@ -43,3 +44,5 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true

test.txt

@@ -0,0 +1,2 @@
+
+