Use SLSA workflow to create releases for PyPi

[schlenk]

It would be nice to use the SLSA framework to get provenance assertions for the release packages we put on PyPi.

See:
https://sethmlarson.dev/python-and-slsa

[tpazderka]

No objections :)