Update py-publish.yml to generate build provenance attestations

ref to #28

Author: shenxianpeng

.github/workflows/py-publish.yml

@@ -5,6 +5,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write
+  attestations: write
 
 jobs:
   publish-to-pypi:
@@ -29,6 +31,11 @@ jobs:
     - name: Check distribution
       run: twine check dist/*
 
+    - name: Create attestations
+      uses: actions/attest-build-provenance@v1
+      with:
+        subject-path: 'dist/*'
+
     - name: Publish package (to TestPyPI)
       if: github.event_name == 'workflow_dispatch' && startsWith(github.repository, 'cpp-linter')
       env: