Add dependabot and adjust permissions

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions-minor:
+        update-types:
+          - minor
+          - patch

.github/workflows/contract.yml

@@ -1,5 +1,8 @@
 name: Test Contract
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]

.github/workflows/lint.yml

@@ -1,14 +1,14 @@
 name: Linting
 
+permissions:
+  contents: read
+
 on:
   # TODO adjust once we do PR
   push:
     branches: [ main ]
   pull_request:
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

.github/workflows/python-release.yml

@@ -0,0 +1,45 @@
+name: publish distributions
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    name: Publish Python distribution to PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    environment:
+      name: publish-package
+
+    steps:
+      # - name: Collect built artifacts
+      # ...
+
+      - name: Generate artifact attestation for sdist and wheels
+        uses: actions/attest-build-provenance@<full action commit SHA> # vX.Y.Z
+        with:
+          subject-path: "dist/tansu*"
+
+      - name: Verify artifact attestation
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          for artifact in dist/*; do
+              echo "# ${artifact}"
+              gh attestation verify "${artifact}" --repo ${{ github.repository }}
+          done
+
+      - name: Publish distribution to PyPI
+        uses: pypa/gh-action-pypi-publish@<full action commit SHA> # vX.Y.Z
+        with:
+          print-hash: true