Verify attestations

[martincostello]

Verify release artifact attestations before publishing.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.59%. Comparing base (ef67ae7) to head (9199dc3).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1107   +/-   ##
=======================================
  Coverage   98.59%   98.59%           
=======================================
  Files          16       16           
  Lines         284      284           
  Branches       37       37           
=======================================
  Hits          280      280           
  Misses          2        2           
  Partials        2        2           

Flag	Coverage Δ
linux	98.59% <ø> (ø)
macos	98.59% <ø> (ø)
windows	98.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull request overview

This PR enhances the release artifact verification process by adding attestation verification to complement the existing GPG signature verification. Attestations are created during the build process (in build.yml) and are now verified before publishing packages to NuGet.org, strengthening the supply chain security.

Key changes:

• Added attestations: read permission to enable reading of GitHub attestations
• Integrated gh attestation verify command to verify build provenance before publishing
• Enhanced verification logging to distinguish between signature and attestation verification steps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.