.github/workflows: enable GitHub artifact attestation#621

[GitHub artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) are similar to [Sigsum](https://www.sigsum.org/)[^1] but the signing process is fully automated, and happens in the same GitHub Actions worker that builds the binaries. Maybe this is a bit redundant, but given how easy it was to configure and how nice the integration with GitHub is, I thought you'd be interested to try it out. ### What will happen after merging/releasing this pull request? Artifact attestations will be available at https://github.com/FiloSottile/age/attestations, and users will be able to verify the downloaded release artifacts using the `gh` command-line tool: ```console $ gh attestation verify --owner FiloSottile age-v1.2.2-linux-amd64.tar.gz Loaded digest sha256:... for file:///.../age-v1.2.2-linux-amd64.tar.gz Loaded 1 attestation from GitHub API ✓ Verification succeeded! sha256:... was attested by: REPO PREDICATE_TYPE WORKFLOW FiloSottile/age https://slsa.dev/provenance/v1 .github/workflows/[email protected] ``` *** > [!TIP] > See https://github.com/0x2b3bfa0/age/attestations/5246743 for a sample attestation in my fork. 🙈 [^1]: GitHub artifact attestations are based on [Sigstore](https://www.sigstore.dev), a project with some shared goals.