B6: release automation workflow

[jcddc83]

Summary

Adds .github/workflows/release.yml. Fires on pushed v*.*.* tags (or manually-published Releases). Builds sdist + wheel from pyproject.toml and attaches them to the GitHub Release for that tag.

Safety check: a pre-build step verifies the tag (stripped of leading v) matches the version in pyproject.toml. If they diverge, the workflow fails before building — the project can never ship a wheel whose filename version disagrees with its git tag.

Stacked on #1

This branch is based on claude/audit-github-repo-EWQDn (PR #1), because the release workflow depends on the pyproject.toml introduced there. Once #1 merges, please re-target this PR's base to main (or merge #1 first and the diff will collapse to just this commit).

Out of scope

• PyPI trusted publishing — left out for now. Easy follow-up once you have a PyPI account: add a pypi-publish step using pypa/gh-action-pypi-publish@release/v1 with OIDC trusted publishing configured on PyPI. No long-lived tokens needed.
• Auto-bumping pyproject.toml on tag push — intentionally manual. The version check above means a forgotten bump fails loudly rather than silently shipping the wrong artifact.

How to use after merge

# 1. Bump version in pyproject.toml (e.g. 1.0.0 -> 1.1.0) and commit
# 2. Tag
git tag v1.1.0
git push origin v1.1.0
# 3. Workflow runs, builds dist/, attaches wheel + sdist to a Release
#    for v1.1.0 (creating the Release if it doesn't exist).

Test plan

• After this and Repo hygiene + cookie hardening + initial test suite #1 merge, push a test tag (e.g. v1.0.1-test) to confirm the workflow runs end-to-end and produces uploadable artifacts
• Confirm the tag/version mismatch guard works by pushing a tag that doesn't match pyproject (expect failure before build)
• After confirming, delete the test tag/release and cut the real v1.1.0 once the audit changes are in

---

Generated by Claude Code