Add PEP 740 publish attestations to PyPI releases

[shaanmajid]

Context

The release-pypi job in release.yml publishes to PyPI over Trusted Publishing but uploads no PEP 740 attestations, so the wheels get no index-served provenance (e.g., none of the v1.14.0 files carry a provenance in the JSON API).

There's already an actions/attest step in that job, but it seems to mirror release-github and only writes a GitHub-side attestation (example). This technically works, but is kind of a mismatch; this isn't where Python consumers see provenance -- PEP 740 is the PyPI-native version.

Changes

• Adds astral-sh/attest-action on non-dry-runs to generate PEP 740 attestations right before uv publish, which uploads them automatically.
• Removes the redundant actions/attest step (and its required permissions, which are no longer necessary)
  • Again, thise step isn't inherently wrong, just somewhat non-idiomatic for Python wheels: it writes GitHub-side provenance where PEP 740 is the PyPI-native equivalent. Removed here since it's redundant, but it's an isolated change, so happy to drop that commit if its preferred to keep it.

I used astral-sh/attest-action since it fits the current uv flow with the smallest diff, and best preserves existing dry-run semantics. An alternative would be to move the publish to pypa/gh-action-pypi-publish, which uses Trusted Publishing + PEP 740 by default, which is also used bypyo3/pyo3). Happy to change in that direction if maintainers prefer :^)

Note: release-github's attestations are untouched; those will continue to be available via GitHub Releases as before.