Add attestations for release artifacts and Docker images

[shaanmajid]

Summary

Adds GitHub artifact attestations (SLSA provenance) for release artifacts and Docker images.

Users will be able to verify artifacts with:

# Release artifacts
gh attestation verify ty-x86_64-unknown-linux-gnu.tar.gz --repo astral-sh/ty

# Docker images
gh attestation verify oci://ghcr.io/astral-sh/ty:latest --repo astral-sh/ty

Test Plan

Tested end-to-end release and attestation verification on my fork.

• Workflow run: https://github.com/shaanmajid/ty/actions/runs/22075911317
• Test release: https://github.com/shaanmajid/ty/releases/tag/0.0.17

Verify release artifacts:

gh release download 0.0.17 --repo shaanmajid/ty --pattern "ty-x86_64-unknown-linux-gnu.tar.gz" --dir /tmp
gh attestation verify /tmp/ty-x86_64-unknown-linux-gnu.tar.gz --repo shaanmajid/ty

Verify Docker images:

gh attestation verify oci://ghcr.io/shaanmajid/ty:0.0.17 --repo shaanmajid/ty
gh attestation verify oci://ghcr.io/shaanmajid/ty:alpine --repo shaanmajid/ty
gh attestation verify oci://ghcr.io/shaanmajid/ty:debian --repo shaanmajid/ty

Notes

• actions/attest-build-provenance was preexisting in dist-workspace.toml but unused, so the upgrade across major versions is safe.
• This is effectively the same change set as Add attestations for release artifacts and Docker images ruff#23111, adapted for ty’s release workflows.

[shaanmajid]

cc @woodruffw per astral-sh/ruff#23111 (comment) :^)

[woodruffw]

Thanks @shaanmajid, assigning myself! I should be able to review this tomorrow.

[shaanmajid]

Rebased onto latest main to resolve a merge conflict. No rush, but ready for review whenever you get a chance!

[MichaReiser]

friendly ping @woodruffw

[woodruffw]

Thanks @shaanmajid, LGTM!

[woodruffw]

Doesn't need to be done with this PR, but I believe there's a v4 series of attest-build-provenance (which in turn just makes it a wrapper around actions/attest). So maybe a good follow-up would be bumping to that or replacing with actions/attest entirely.

[shaanmajid]

Happy to bump to v4 either in this PR or later (although will note that at the time of writing, it's less than a week old). Would love to switch to just actions/attest, but I believe that would need upstream support from cargo-dist. Will leave an issue there.

[woodruffw]

I'm good with waiting on the bump!

[MichaReiser]

@woodruffw can we merge this or are we waiting for another change?

[woodruffw]

Nope, it's good to go (modulo the conflict).

[shaanmajid]

Rebased and solved the dist-workspace.toml conflicts. Should be ready to merge :^) @MichaReiser @woodruffw