ci: add release workflow for multi-platform PyPI wheels

[ammar-s847]

Summary

Adds `.github/workflows/release.yml` that builds wheels for every common platform/Python combo and publishes them to PyPI on a tag push. Closes the alpha-launch loop: tag `v0.1.1` → wheels appear on PyPI within ~10 minutes.

Matrix

OS	Targets	Python versions
Linux	x86_64, aarch64 (manylinux auto)	3.10, 3.11, 3.12, 3.13
macOS	x86_64, aarch64	3.10, 3.11, 3.12, 3.13
Windows	x86_64	3.10, 3.11, 3.12, 3.13
sdist	—	—

20 wheels + 1 sdist per release.

Publish path

Uses PyPI Trusted Publishing (OIDC). The `publish` job has `permissions: id-token: write` and no long-lived token in repo secrets. Gated on tag push, so manual `workflow_dispatch` runs are build-only dry runs.

Setup (one-time, before tagging)

1. Go to https://pypi.org/manage/account/publishing/ → "Add a new pending publisher"
2. Fill in:
   • PyPI project name: `hebb-py`
   • Owner: `hebb-project`
   • Repository name: `hebb`
   • Workflow name: `release.yml`
   • Environment name: `pypi`
3. (Optional, recommended) In this repo's settings → Environments → create `pypi` with required reviewers if you want a human approval gate on every publish.

Releasing

# bump version in Cargo.toml + python/Cargo.toml + pyproject.toml
git tag v0.1.1
git push --tags

Watch the workflow under Actions; on completion, `hebb-py` v0.1.1 is on PyPI.

Alternative auth (if you'd rather not set up Trusted Publishing right now)

Swap the publish step's OIDC block for a token-based env var:

```yaml
env:
MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
```

…and add `PYPI_API_TOKEN` as a repo secret.

Test plan

• Merge this PR. Manually trigger the workflow via Actions → "Release wheels" → "Run workflow" to confirm builds pass.
• Set up Trusted Publishing on PyPI.
• Tag `v0.1.1` and watch the publish job upload to PyPI.