feat(ci): implement mirror-tarball workflow (Phase 2)

[bpamiri]

Closes wheels-dev/wheels#2269. Phase 2 of wheels-dev/wheels#2243.

Summary

Replaces the Phase 2 stub in .github/workflows/mirror-tarball.yml with a working tarball-mirror pipeline, plus a strict post-merge schema check.

What this changes

.github/workflows/mirror-tarball.yml — full implementation.

Triggers:

• pull_request.closed on packages/**/manifest.json — mirrors only the versions added/modified by the PR where tarball is still null.
• workflow_dispatch — scans every manifest and mirrors any pending entry (backfill mode).

Per pending (name, version) entry:

1. Clone source.repo at sourceTag (shallow, strip .git).
2. Deterministic tarball: tar --sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner | gzip -n.
3. sha256sum the tarball.
4. Create GH Release <name>-<version> on this registry if missing, upload tarball as release asset (--clobber on re-run).
5. jq-patch manifest: set versions[i].tarball to the release-asset URL and versions[i].sha256 to the computed hash.

Post-loop, commit + push to main as github-actions[bot]. A concurrency group (mirror-tarball, cancel-in-progress: false) serializes near-simultaneous PR merges so the writeback to main never races.

schema/manifest.strict.schema.json — new file.

Same shape as manifest.schema.json but tarball and sha256 are required and non-nullable. The tarball pattern is pinned to this registry's release-asset URL shape — author-hosted URLs are rejected at the schema level (Attack A defense).

.github/workflows/validate.yml — adds strict-main job.

Gated on push to refs/heads/main. After mirror-tarball.yml commits back, strict-main re-validates and any null field that escaped the mirror (e.g. mirror job errored) fails CI immediately.

Keeping the PR-time schema permissive and enforcing the strict shape post-merge avoids the chicken-and-egg problem where PRs submit with nulls that the mirror is responsible for filling in.

README.md — documents the new distribution flow.

Test plan

• Review the workflow YAML for any untrusted-interpolation footguns (all \${{ }} expressions involving event data go via env:).
• Merge this PR.
• Trigger the workflow manually (gh workflow run mirror-tarball.yml --repo wheels-dev/wheels-packages) to backfill the four seed packages (sentry, hotwire, basecoat, legacy-adapter).
• Verify four new GH Releases exist on this repo (wheels-sentry-1.0.0 etc.) with a .tar.gz asset each.
• Verify the bot commit on main updates all four manifests with tarball URL + sha256.
• Verify strict-main job on validate.yml goes green after the backfill commit.
• Sanity-check determinism: re-run the workflow; sha256 should be identical across runs for the same (source.repo, sourceTag).

Notes

• main is not currently branch-protected on this repo, so github-actions[bot] can push directly. If protection is added later, the workflow will need either a PAT with bypass permission or a bot-opened writeback PR.
• The issue's "tighten JSONSchema" AC is satisfied by the permissive-at-PR / strict-at-main split. Outright tightening the base schema would break new-version PRs (authors submit nulls; CI fills them in post-merge).