Add attestations for release artifacts and Docker images

[shaanmajid]

Summary

Adds GitHub artifact attestations (SLSA provenance) for release artifacts and Docker images.

Users will be able to verify artifacts with:

# Release artifacts
gh attestation verify ty-x86_64-unknown-linux-gnu.tar.gz --repo astral-sh/ty

# Docker images
gh attestation verify oci://ghcr.io/astral-sh/ty:latest --repo astral-sh/ty

Test Plan

Tested end-to-end release and attestation verification on my fork.

• Workflow run: https://github.com/shaanmajid/ty/actions/runs/22075911317
• Test release: https://github.com/shaanmajid/ty/releases/tag/0.0.17

Verify release artifacts:

gh release download 0.0.17 --repo shaanmajid/ty --pattern "ty-x86_64-unknown-linux-gnu.tar.gz" --dir /tmp
gh attestation verify /tmp/ty-x86_64-unknown-linux-gnu.tar.gz --repo shaanmajid/ty

Verify Docker images:

gh attestation verify oci://ghcr.io/shaanmajid/ty:0.0.17 --repo shaanmajid/ty
gh attestation verify oci://ghcr.io/shaanmajid/ty:alpine --repo shaanmajid/ty
gh attestation verify oci://ghcr.io/shaanmajid/ty:debian --repo shaanmajid/ty

Notes

• actions/attest-build-provenance was preexisting in dist-workspace.toml but unused, so the upgrade across major versions is safe.
• This is effectively the same change set as Add attestations for release artifacts and Docker images ruff#23111, adapted for ty’s release workflows.

[shaanmajid]

cc @woodruffw per astral-sh/ruff#23111 (comment) :^)

[woodruffw]

Thanks @shaanmajid, assigning myself! I should be able to review this tomorrow.

[shaanmajid]

Rebased onto latest main to resolve a merge conflict. No rush, but ready for review whenever you get a chance!