chore: Attest build artifacts

.github/workflows/release.yml

@@ -3,10 +3,6 @@ name: Release
 on:
   push:
 
-permissions:
-  contents: write  # Needed to upload artifacts to the release
-  id-token: write  # Needed for OIDC PyPI publishing
-
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -24,19 +20,46 @@ jobs:
       name: publishing
       url: https://pypi.org/p/singer-sdk
     if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      id-token: write  # Needed for OIDC PyPI publishing
     steps:
     - uses: actions/download-artifact@v4
       with:
         name: Packages
         path: dist
-    - name: Upload wheel to release
+    - name: Publish
+      uses: pypa/[email protected]
+
+  upload-to-release:
+    name: Upload files to release
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write     # Needed for uploading files to the release
+      id-token: write     # Needed for attestations
+      attestations: write # Needed for attestations
+
+    steps:
+    - uses: actions/download-artifact@v4
+      with:
+        name: Packages
+        path: dist
+    - name: Upload wheel and sdist to release
       uses: svenstaro/upload-release-action@v2
       with:
-        repo_token: ${{ secrets.GITHUB_TOKEN }}
-        file: dist/*.whl
+        file: dist/singer_sdk*
         tag: ${{ github.ref }}
         overwrite: true
         file_glob: true
-
-    - name: Publish
-      uses: pypa/[email protected]
+    - uses: actions/attest-build-provenance@v1
+      id: attest
+      with:
+        subject-path: "./dist/singer_sdk*"
+    - name: Upload attestations to release
+      uses: svenstaro/upload-release-action@v2
+      with:
+        file: ${{ steps.attest.outputs.bundle-path }}
+        tag: ${{ github.ref }}
+        overwrite: true
+        asset_name: attestations.intoto.jsonl