ci: add python release signing dry run

[negillett]

Summary

• Add a manual release signing dry-run workflow for the Python SDK.
• Build and test Python distributions, then sign the built dist artifacts through the canonical generic-artifact signing path.
• Pin privileged workflow actions and scope OIDC/write permissions to the signing job only.

Test plan

• .venv/bin/python -m unittest discover -s tests -v
• .venv/bin/python -m build --outdir dist .
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/ci.yml .github/workflows/dco.yml .github/workflows/release-signing-dry-run.yml

Review

No blocking issues found in the internal review. Residual packaging note: the local build emits a setuptools deprecation warning for the existing project.license table shape in pyproject.toml; this predates the release caller and does not block the dry run.

[cursor]

PR Summary

Medium Risk
Introduces a new workflow that requests OIDC and write permissions to produce signing attestations; misconfiguration could affect release artifact integrity. Scoped to workflow_dispatch and isolates elevated permissions to the signing job, reducing blast radius.

Overview
Adds a new workflow_dispatch GitHub Actions workflow (release-signing-dry-run.yml) to dry-run the Python SDK release signing flow.

The workflow checks out a caller-provided ref, installs deps, runs unit tests, builds dist/ artifacts, uploads them, then invokes the reusable release-build-sign.yml workflow to generate signing attestations for the built distributions (with Rekor publishing disabled).

^{Reviewed by Cursor Bugbot for commit ee06071. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0e35822. Configure here.}