PR-F2: Tighten trusted-publish OIDC context and policy docs

[lmeyerov]

Summary

Implements PR-F2 (#1130) as a narrow OIDC/trusted-publish hardening slice.

What changed

• .github/workflows/publish-pypi.yml
  • Added workflow_dispatch confirmation input confirm_ref.
  • Added publish-context assertions before credentialed publish steps:
    • GITHUB_REPOSITORY must be graphistry/pygraphistry.
    • GITHUB_WORKFLOW_REF must match .github/workflows/publish-pypi.yml@${GITHUB_REF}.
  • Added release-tag format enforcement for tag-triggered publish.
  • Kept existing trusted-ref checks:
    • tag commits must be in origin/master history.
    • manual dispatch only from refs/heads/master.
• DEVELOP.md
  • Documented confirm_ref=master for manual publish recovery.
  • Added explicit PyPI Trusted Publisher alignment checklist (repository/workflow/environment/refs).
• CHANGELOG.md
  • Added infrastructure entry for PR-F2 hardening.

Why

This reduces confused-deputy/OIDC misuse risk by failing closed unless publish runs from the expected repo/workflow/ref context and by making external Trusted Publisher policy requirements explicit in the runbook.

Validation

• YAML parse check for publish-pypi.yml (YAML_OK).
• Full CI intentionally left to PR checks (includes workflow-security gates).

Non-goals

• SBOM/provenance/signing work (planned as PR-F3/F4).
• SHA pin migration.