Add PEP 740 attestations for PyPI releases #1503
Description
To add onto #1494 and #1497, it would be nice to support PEP 740 digital attestations.
Unfortunately, it would require some additional refactoring of prek's release workflows. The pypi-publish job is in publish.yml, a reusable workflow called from release.yml. PyPI attestations don't work with this structure because OIDC tokens identify the calling workflow (release.yml), but Trusted Publisher is configured for the called workflow (publish.yml).
The only viable solution I believe is to move the pypi-publish job directly into release.yml. However, this is not natively supported by cargo-dist, and would thus require allow-dirty = ["ci"] and manual changes, which would need to be preserved upon each regeneration.
uv hit this issue and reverted: astral-sh/uv#16944
Upstream tracking: pypi/warehouse#11096, axodotdev/cargo-dist#2216