add attestation file as a release artifact

Feature Ideas
1

I see you are using actions/attest-build-provenance@v4 as part of your release workflow.

Please add attestation file as a release artifact to enable verification without a requirement for GH login. Backround discussion @ `gh attestation verify` should be able to work without token / authentication · Issue #11803 · cli/cli · GitHub (please also consider adding your voice to this issue as GH clearly ultimately need to resolve this problem at a more fundamental level)

bundle-path is an output from actions/attest-build-provenance but it is not uploaded to the releases and there is no way to programatically access the bundle-path output without authenticating with a GH token unless you explicitly upload it as a release artifact because downloading release artifacts does not require a GH token.

Example of how it works once implemented:

$ wget https://github.com/pypdfium2-team/pypdfium2/releases/download/5.9.0/pypdfium2-5.9.0.tar.gz
$ wget https://github.com/pypdfium2-team/pypdfium2/releases/download/5.9.0/pypdfium2-attestation.json
$ gh attestation trusted-root > trusted_root.jsonl   # This `gh attestation` flag does not require a GH login
$ gh attestation verify pypdfium2-5.9.0.tar.gz -R pypdfium2-team/pypdfium2 --bundle pypdfium2-attestation.json --custom-trusted-root trusted_root.jsonl
Loaded digest sha256:db1274bd27844db6fda17ef1dbcd0026c47d357437058d838e98060c0da9e92e for file://pypdfium2-5.9.0.tar.gz
Loaded 1 attestations from pypdfium2-attestation.json

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/pypdfium2-team
- Source Repository URI must match:......... https://github.com/pypdfium2-team/pypdfium2
- Subject Alternative Name must match regex: (?i)^https://github.com/pypdfium2-team/pypdfium2/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... pypdfium2-team/pypdfium2
  - Build workflow:. .github/workflows/main.yaml@refs/heads/main
  - Signer repo:.... pypdfium2-team/pypdfium2
  - Signer workflow: .github/workflows/main.yaml@refs/heads/main