chore(ci): generate GitHub artifact attestations on release

Author: scop

.github/workflows/ci.yaml

@@ -45,6 +45,9 @@ jobs:
       pull-requests: write
       # Needed for adding labels for PRs, we shouldn't actually need this, see https://github.com/orgs/community/discussions/156181
       issues: write
+      # attestations and id-token for attest-build-provenance
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
@@ -103,3 +106,7 @@ jobs:
           GH_TOKEN: ${{github.token}}
           RELEASE_PLEASE_TAG_NAME: ${{steps.release.outputs.tag_name}}
         if: steps.release.outputs.release_created
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-checksums: sha256sums.txt
+        if: steps.release.outputs.release_created