Inline PyPI publish for trusted publishing compatibility

[negillett]

Summary

• Replace the reusable-workflow publish job with an inline
  pypa/gh-action-pypi-publish@release/v1 step so PyPI trusted
  publishing matches intentproof-sdk-python / release-pypi.yml.
• Keep Cosign signing on the reusable generic path for GitHub Release
  artifacts.
• Run twine check before upload.

Test plan

• Merge and re-run release (delete/recreate tag v0.2.0 or dispatch
  release pypi on the tag ref with publish enabled).
• Confirm PyPI trusted publishing succeeds with existing OIDC config
  (IntentProof / intentproof-sdk-python / release-pypi.yml).
• Verify PEP 740 attestations via pip download --require-hashes
  and cosign verify-blob.

Review

• Internal review: root cause is PyPI's lack of reusable-workflow
  support; inline publish matches the Node release-npm.yml pattern.
  No OIDC reconfiguration required on PyPI.

[cursor]

PR Summary

Medium Risk
Modifies the PyPI release workflow and its permissions, which can affect the package publishing pipeline and release integrity if misconfigured.

Overview
Updates release-pypi.yml to replace the reusable release-build-sign publish job with an inline publish flow: download built dists, run twine check, then upload via pypa/gh-action-pypi-publish with PEP 740 attestations enabled.

Adjusts the publish job to run directly on ubuntu-latest and scopes contents permission to read (while keeping the separate sign job using the reusable signing workflow for GitHub Release artifacts).

^{Reviewed by Cursor Bugbot for commit cda4a98. Bugbot is set up for automated code reviews on this repo. Configure here.}