ci: add release workflow and document the release procedure

[mertsatilmaz]

Summary

Adds `.github/workflows/release.yml` and `docs/releasing.md`. Pushing a tag matching `v..` (or `…rc`) runs four gated jobs in sequence:

1. verify — pytest, ruff, mypy on the tagged commit
2. build — `python -m build` produces sdist + wheel
3. publish-pypi — uploads to PyPI via OIDC trusted publishing (no long-lived token)
4. github-release — attaches sdist + wheel to the GitHub release with auto-generated notes

One-time setup you'll need to do before the first real tag

The workflow is dormant until two things are configured:

On PyPI (one-time, ~3 minutes):

1. Go to https://pypi.org/manage/account/publishing/ → Add a pending publisher
2. Fill in:
   • PyPI Project Name: `owasp-agent-security-regression-harness`
   • Owner: `OWASP`
   • Repository: `Agent-Security-Regression-Harness`
   • Workflow: `release.yml`
   • Environment: `pypi`

On GitHub (one-time, ~1 minute):

1. Repo Settings → Environments → New environment named `pypi`
2. Add yourself as a required reviewer so a tag can't silently publish

Both steps are in `docs/releasing.md` so future maintainers find them too.

Rehearsal before v0.1.0

Once those are configured, we can rehearse with a release candidate tag like `v0.1.0rc1` (the workflow accepts `rcN` suffixes). PyPI treats RC versions as pre-releases. If it works, we tag `v0.1.0` for the real release.

Test plan

• `python -m pytest -q` — 315 passed (no code changes)
• `ruff check src tests` — clean
• `mypy` — clean
• Workflow YAML reviewed for syntax
• Trusted publishing configured on PyPI side (you)
• `pypi` environment configured on GitHub side (you)
• Rehearsal with `v0.1.0rc1` (after the version bump in release: bump version to 0.1.0 and update classifier to Alpha #116)

Closes #114