Try out sigstore attestation

Found the sign command in rubygems/release-gem#11

Based on sigstore/sigstore-ruby#225, the
sigstore-cli sign command only works when run in GitHub Actions, right
now.

Locally, I got

    $ ruby -S gem exec sigstore-cli:0.2.1 sign slenips --bundle attestation.sigstore.json
    Fetching protobug-0.1.0.gem
    Fetching sigstore-cli-0.2.1.gem
    Fetching protobug_well_known_protos-0.1.0.gem
    Fetching protobug_googleapis_field_behavior_protos-0.1.0.gem
    Fetching protobug_sigstore_protos-0.1.0.gem
    Fetching sigstore-0.2.1.gem
    Failed to detect an ambient identity token, please provide one via --identity-token (Sigstore::Error::InvalidIdentityToken)

Author: dentarg

.github/workflows/release.yml

@@ -22,4 +22,11 @@ jobs:
       - uses: rubygems/[email protected]
       - run: gem build slenips.gemspec
       - run: gem install ./slenips-*.gem
-      - run: gem push ./slenips-*.gem
+      - run: |
+          ruby -S gem exec sigstore-cli:0.2.1 sign slenips --bundle attestation.sigstore.json
+      - uses: actions/upload-artifact@v4
+        with:
+          name: attestation
+          path: attestation.sigstore.json
+      - run: |
+          gem push --attestation attestation.sigstore.json ./slenips-*.gem