Enable PEP 740 attestations for PyPI releases

[Copilot]

Overview

Resolves the PEP 740 compliance issue by enabling cryptographic attestations for PyPI releases.

PEP 740 provides verifiable proof that published packages originated from this repository's GitHub Actions workflow, enhancing supply chain security.

Details

• Added attestations: true to the pypa/gh-action-pypi-publish action in .github/workflows/publish-to-pypi.yml
• Attestations will be automatically generated and uploaded to PyPI for all future releases using the existing Trusted Publishing (OIDC) configuration

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Are we PEP 740 yet?</issue_title>
<issue_description>### Describe what maintenance you would like added.

PEP 740 is a Python standard for defining cryptographically verifiable attestations hosted by indices like PyPI.

Links to source code.

https://trailofbits.github.io/are-we-pep740-yet/

Pseudocode or Screenshots

None</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Are we PEP 740 yet? #487

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.