Artifact attestations for released packages

I've been watching the addition of attestations in pex/ptex - and I think it makes sense if we had it as well. If for nothing else, then for CI attestation.

https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds