add post-hoc verification action

Author: janfb

.github/workflows/attest-existing-release.yml

@@ -0,0 +1,41 @@
+name: Attest existing release assets ✅
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Git tag of the existing release (e.g., v0.25.0)
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  attest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prepare dist directory
+        run: mkdir -p dist
+
+      - name: Download assets from GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: >-
+          gh release download
+          '${{ inputs.tag }}'
+          --repo '${{ github.repository }}'
+          -D dist/
+          -p '*.whl' -p '*.tar.gz'
+
+      - name: List downloaded files
+        run: ls -lah dist || true
+
+      - name: Generate build provenance attestations
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            dist/*.tar.gz
+            dist/*.whl