Generate GHA attestations during release

Signed-off-by: Facundo Tuesca <[email protected]>

{{cookiecutter.project_slug}}/.github/workflows/release.yml

@@ -29,13 +29,31 @@ jobs:
         name: distributions
         path: dist/
 
+  generate-provenance:
+    name: Generate SLSA provenance for distributions
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      id-token: write # To sign the provenance.
+      attestations: write # To persist the attestation files.
+    steps:
+      - name: Download distributions
+        uses: actions/download-artifact@v4
+        with:
+          name: distributions
+          path: dist/
+      - name: Generate build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'dist/*'
+
   publish:
     name: Publish Python distributions to PyPI
     runs-on: ubuntu-latest
     environment:
       name: pypi
       url: https://pypi.org/p/{{cookiecutter.project_slug}}
-    needs: [build]
+    needs: [build, generate-provenance]
     permissions:
       # Used to sign the release's artifacts with sigstore-python.
       # Used to publish to PyPI with Trusted Publishing.