fix: include archives in release archive attestation subject

[sargunv]

Description

Update the release provenance attestation subject paths so the attestation includes the downloadable release assets that package managers verify before extraction.

Fixes #6133

How Has This Been Tested?

It hasn't (beyond ensuring yaml syntax).

The meaningful validation would be a release dry-run and inspection of the generated attestation subjects, for example:

gh workflow run Release --field tag=dry-run --ref <branch>

AI Disclosure

• This PR contains AI-generated content.
  • I have tested any AI-generated content in my PR.
  • I take responsibility for any AI-generated content in my PR.

Tools: pi / gpt-5.5

Prompt summary: investigate issue #6133, inspect the release workflow, and apply a minimal workflow change so release attestations include downloadable archive/installer assets while preserving existing binary subjects.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added sufficient tests to cover my changes.
• I have verified that changes that would impact the JSON schema have been made in schema/model.py.