Add attestations for release artifacts and Docker images (#23111)
## Summary
Adds GitHub artifact attestations (SLSA provenance) for release
artifacts and Docker images.
Users will be able to verify artifacts with:
```bash
# Release artifacts
gh attestation verify ruff-x86_64-unknown-linux-gnu.tar.gz --repo astral-sh/ruff
# Docker images
gh attestation verify oci://ghcr.io/astral-sh/ruff:latest --repo astral-sh/ruff
```
## Test Plan
Tested end-to-end releases and attestation verification on my fork.
(Note, some finagling was necessary to successfully publish without a
dedicated depot runner, see a5d98386bb8b14d685164f6464908e84ba4ce91b)
- Workflow run:
https://github.com/shaanmajid/ruff/actions/runs/21732754488
- Test release: https://github.com/shaanmajid/ruff/releases/tag/0.15.0
Verify release artifacts:
```bash
gh release download 0.15.0 --repo shaanmajid/ruff --pattern "ruff-x86_64-unknown-linux-gnu.tar.gz" --dir /tmp
gh attestation verify /tmp/ruff-x86_64-unknown-linux-gnu.tar.gz --repo shaanmajid/ruff
```
Verify Docker images:
```bash
gh attestation verify oci://ghcr.io/shaanmajid/ruff:0.15.0 --repo shaanmajid/ruff
gh attestation verify oci://ghcr.io/shaanmajid/ruff:alpine --repo shaanmajid/ruff
gh attestation verify oci://ghcr.io/shaanmajid/ruff:debian --repo shaanmajid/ruff
```
## Notes
- `actions/attest-build-provenance` was preexisting in
`dist-workspace.toml` but was unused, so the upgrade across major
versions is safe
