ci: add PyPI publish attestations

[shaanmajid]

Summary

Hi! This switches the tag-only PyPI upload step from uv publish to pypa/gh-action-pypi-publish@v1.14.0.

junitparser already publishes from GitHub Actions using PyPI Trusted Publishing/OIDC. Using the official PyPA publish action keeps that flow, but also generates and uploads PyPI publish attestations by default, so this should not require any new PyPI-side configuration or secrets.

Those attestations bind each uploaded distribution to the trusted GitHub Actions publisher that uploaded it, making that provenance available through PyPI for downstream users and tooling.

This also removes the uv setup step from the publish job, since the upload step no longer uses uv.

Possible follow-ups

I kept this PR intentionally small for reviewability, but noticed a few related release-hardening opportunities while looking at the workflow:

• Pin GitHub Actions to full commit SHAs.
• Avoid cache use in release artifact builds.
• Split build and publish into separate jobs, so id-token: write is only available in the final upload job.

Testing

Not run; workflow-only change.

[github-actions]

Test Results

  8 files  ±0    8 suites  ±0   4s ⏱️ ±0s
128 tests ±0  127 ✅ ±0   1 💤 ±0  0 ❌ ±0 
730 runs  ±0  711 ✅ ±0  19 💤 ±0  0 ❌ ±0 

Results for commit 6f2603d. ± Comparison against base commit ab3451b.

[weiwei]

Thanks for the PR @shaanmajid. Seeing your change got merged in some other repos I'll trust this is a good change.