Harden release workflow: build-once + OIDC trusted publishing

[frazane]

Reworks the release workflow so a release can be rehearsed before it's ever needed, and so publishing no longer depends on a stored API token. The previous workflow had never actually run, so the goal here is to make the release path trustworthy.

What changed

• Split the single job into build, publish-testpypi, and publish-pypi. The distribution is built and checked once, then the exact built artifact is what gets published.
• Added a workflow_dispatch trigger that publishes to TestPyPI, so the whole build and publish path can be rehearsed end-to-end without a real tag.
• Switched publishing to PyPI Trusted Publishing (OIDC) via pypa/gh-action-pypi-publish, and dropped the PYPI_TOKEN secret. The publish jobs request id-token: write and run in dedicated environments.
• Added twine check on the built artifact so bad metadata fails before publishing. Kept the existing tag-vs-pyproject version guard for real releases.

Notes

• On a PR only the build job runs; the publish jobs are gated to release / workflow_dispatch, so nothing is published from a PR.
• Before the TestPyPI rehearsal or a real release can publish, a Trusted Publisher must be configured on TestPyPI and PyPI for this repo, the release.yaml workflow, and the testpypi / pypi environments. That is a one-time manual setup on the PyPI side.