Support attestations in GitHub announce phase

[samypr100]

Feature Request: I would like to have support github attestations during the announce phase with ability to filter on what the subjects should be. See example working workflow astral-sh/uv#11357

Problem: Even though there's support already for github attestations via github-attestations = true, it only works when build-local-artifacts is used, which is not the case in the above scenario/workflow. In addition it would be desirable to be able to configure what gets attested and becomes part of the subject versus what does not, as shown in the above workflow.

Proposal:

1. Support actions/attest-build-provenance@v2 on announce phase. This could be introduced by adding a github_attestations_phase configuration variable that takes either announce or build-local-artifacts, defaulting to build-local-artifacts for backwards compatibility and modifying publish_github.yml.j2 to support it.

2. Support filters for attestations in announce phase. This could also be done by adding a github_attestations_filters configuration variable that is an array of strings that will be passed down to subject-path in attest-build-provenance in the announce phase. This can default to None for backwards compatibility. For example, in case of build-local-artifacts it should result in the current target/distrib/*${{ join(matrix.targets, ', ') }}*", but when used with announce it will result in artifacts/* by default or when adding more filters ['*.json', '*.sh', '*.ps1', '*.zip', '*.tar.gz'] it would work for example as shown below.

     - name: Generate artifact attestations
       uses: actions/attest-build-provenance@v2
       with:
         subject-path: |
           artifacts/*.json
           artifacts/*.sh
           artifacts/*.ps1
           artifacts/*.zip
           artifacts/*.tar.gz

I'd appreciate any thoughts/guidance here if this is achievable or something you'd be happy to support from an external contribution 😄