ci: enable Sigstore attestations for PyPI releases (#1)

Add attestations: true to pypa/gh-action-pypi-publish and
attestations: write permission so each release generates
verifiable Sigstore provenance tied to the GitHub Actions workflow.

Co-authored-by: Claude <noreply@anthropic.com>

Author: JRemitz

.github/workflows/release.yml

@@ -11,6 +11,7 @@ jobs:
     environment: release
     permissions:
       id-token: write
+      attestations: write
 
     steps:
       - uses: actions/checkout@v4
@@ -45,3 +46,5 @@ jobs:
 
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true