Write GitHub provenance for packages

Author: hynek

Diff for: .github/workflows/pypi-package.yml

@@ -1,5 +1,5 @@
 ---
-name: Build & maybe upload PyPI package
+name: Build & upload PyPI package
 
 on:
   push:
@@ -11,6 +11,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  attestations: write
   contents: read
   id-token: write
 
@@ -31,6 +32,8 @@ jobs:
           fetch-depth: 0
 
       - uses: hynek/build-and-inspect-python-package@v2
+        with:
+          attest-build-provenance-github: 'true'
 
   # Upload to Test PyPI on every commit on main.
   release-test-pypi: