Use SLSA workflow to create releases for PyPi

It would be nice to use the SLSA framework to get provenance assertions for the release packages we put on PyPi.

See: 
https://sethmlarson.dev/python-and-slsa
