small security upgrade to our upload action

[drammock]

There is a subtle security hole in how GitHub handles release artifacts: they're auto-genned on each request (so if GH changes their process for generating the ~~wheels~~ sdists (ZIP files), the checksum can change, which makes it hard to verify the authenticity of our ~~wheels~~ sdists by downstream users). We could add to our release action a new step that attaches the built ~~wheel~~ sdist that we end up pushing to PyPI, in which case its checksum will be stable.

example of how to do this: https://github.com/conda/conda/blob/main/.github/worflows/upload.yml