Add attestation file as a release artifact

[udf2457]

Please add attestation file as a release artifact to enable verification without a requirement for GH login. Backround discussion @ cli/cli#11803

This attestation file artifact is not to be confused with the Release attestation (json) file that GH automagically adds to your releases. The latter is not usable for attestation verification, or at least not without a login.

Example of how it works once implemented:

$ wget https://github.com/pypdfium2-team/pypdfium2/releases/download/5.9.0/pypdfium2-5.9.0.tar.gz
$ wget https://github.com/pypdfium2-team/pypdfium2/releases/download/5.9.0/pypdfium2-attestation.json
$ gh attestation trusted-root > trusted_root.jsonl   # This `gh attestation` flag does not require a GH login
$ gh attestation verify pypdfium2-5.9.0.tar.gz -R pypdfium2-team/pypdfium2 --bundle pypdfium2-attestation.json --custom-trusted-root trusted_root.jsonl
Loaded digest sha256:db1274bd27844db6fda17ef1dbcd0026c47d357437058d838e98060c0da9e92e for file://pypdfium2-5.9.0.tar.gz
Loaded 1 attestations from pypdfium2-attestation.json

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/pypdfium2-team
- Source Repository URI must match:......... https://github.com/pypdfium2-team/pypdfium2
- Subject Alternative Name must match regex: (?i)^https://github.com/pypdfium2-team/pypdfium2/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... pypdfium2-team/pypdfium2
  - Build workflow:. .github/workflows/main.yaml@refs/heads/main
  - Signer repo:.... pypdfium2-team/pypdfium2
  - Signer workflow: .github/workflows/main.yaml@refs/heads/main