Add GitHub Provenance Mechanism to the Project(为项目添加 github 的 Provenance 机制)

[anotherGoogleFan]

This PR integrates GitHub’s Provenance mechanism—also known as GitHub Artifact Attestations—into the release workflow.

As this is a relatively sensitive project, security is of critical importance.

The purpose of the Provenance mechanism is not to “scan for vulnerabilities,” but to attach a verifiable proof of origin to the final build artifacts. Verifiers can confirm that these installation packages or binaries were built from this repository, using a specific workflow and commit, within GitHub Actions—rather than being manually replaced or coming from an unknown build environment.

The widely discussed XZ Utils backdoor incident is a classic example: the source code appeared clean, but the released precompiled binaries were compromised. This highlights how crucial it is to ensure the trustworthiness of software supply chain artifacts. Issues may not only exist in the public source code, but also in the actual build, packaging, and distribution processes. The Provenance mechanism provides exactly this kind of verifiable origin, helping downstream users ensure that the files they receive come from the expected official build pipeline.

==========================================
这个 PR 为发布工作流接入了 GitHub 的 Provenance 机制，也就是 GitHub Artifact Attestations。

这个项目作为一个比较敏感的项目，安全性是极其重要的。

Provenance 机制的作用不是“扫描漏洞”，而是给最终构建产物附上一份可验证的来源证明。验证方可以确认这些安装包或二进制确实是由本仓库、指定 workflow、指定 commit，在 GitHub Actions 中构建出来的，而不是手工替换或来自未知构建环境。

前段时间引发广泛关注的 Linux xz 后门事件，就是典型的“源码是干净的，但发布的预编译二进制文件被投毒了”。也说明了软件供应链里“发布产物”本身的可信性非常重要。问题不一定只出在公开源码层，也可能出现在实际构建、打包、分发出来的二进制产物上。Provenance 机制提供的正是这类“来源可验证性”，帮助下游确认拿到的文件来自预期的官方构建链路。