Add tag-triggered crates.io publish workflow

[gvonness-apolitical]

Summary

• Add .github/workflows/publish.yml — tag-triggered (v*) workflow with trusted publishing (OIDC, no API tokens)
  • ci job: fmt, build, test, clippy, docs, cargo-audit, cargo-deny
  • publish job: version tag validation, dry runs, sequential crate publishing (cdx-core → cdx-cli) via rust-lang/crates-io-auth-action@v1, runs in release environment
  • release job: extracts changelog section, creates GitHub Release via softprops/action-gh-release@v2
• Add version = "0.1.0" to workspace cdx-core dependency for crates.io resolution
• Restore codecov, crates.io, and docs.rs badges to README
• Update org URLs from gvonness-apolitical to Entrolution across CHANGELOG, CONTRIBUTING, Cargo.toml, README

Prerequisites (manual, before first tag-triggered release)

• Claim crate names on crates.io (initial manual publish)
• Configure trusted publishers on crates.io for both crates
• Create release GitHub Actions environment

Test plan

• Merge PR, bump versions to 0.1.1, tag v0.1.1, push — verify workflow runs end-to-end
• Verify CI job passes (build, test, clippy, audit)
• Verify publish job authenticates via OIDC and publishes both crates
• Verify release job creates GitHub Release with changelog excerpt

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️