ci: add release and PyPI publish workflows

[obeone]

Summary

• Add release.yaml: automatically creates a GitHub Release with generated release notes when a v*.*.* tag is pushed
• Add publish-pypi.yaml: builds and publishes the Python package to PyPI when a release is published (requires PYPI_API_TOKEN secret)
• Existing build-and-publish.yaml already handles Docker tags (vX, vX.X, vX.X.X, X, X.X, X.X.X, latest) on release events

Setup required

• Configure PYPI_API_TOKEN secret in repo settings (Settings → Secrets and variables → Actions)

Test plan

• Push a test tag v2.0.1 and verify GitHub Release is created
• Verify build-and-publish workflow triggers and produces correct Docker tags
• Verify publish-pypi workflow triggers and uploads to PyPI

In general, the fix is to add an explicit permissions: block that limits the GITHUB_TOKEN to the minimum access needed. For this workflow, the job only needs to read the repository contents to allow actions/checkout to function; it does not need to push commits, manage releases, or modify pull requests. Therefore, we can safely set contents: read.

The best way to fix this without changing existing functionality is to add a top-level permissions: block (between name: and on:) so that all jobs in the workflow inherit it. This keeps the change minimal and clear. Concretely, in .github/workflows/publish-pypi.yaml, insert:

permissions:
  contents: read

after the first line (name: Publish to PyPI). No additional methods, imports, or definitions are required, since this is just GitHub Actions YAML configuration.