ci: migrate to GitHub-hosted runners + attest release provenance

[m-wells]

Summary

Migrates CI/docs/release off the self-hosted runner fleet (the homeserver-pool ARC pool and the ghost M2 Max) onto GitHub-hosted runners, and adds build-provenance attestation to release assets.

Runner migration

• Linux jobs (ci.yml#check, docs.yml#build, release.yml#verify/build/publish-crate/release): runs-on: homeserver-pool → ubuntu-latest. The rust-ci / rust-web-ci containers are kept wherever they were used, for toolchain + prettier parity (the verify and release jobs need no container, so none was added).
• macOS jobs (ci.yml#check-macos, release.yml#build matrix): runs-on: [self-hosted, macos, arm64] → macos-14 (hosted Apple Silicon).
• Removed the ghost-specific rustup-shim hacks in ci.yml and release.yml — the steps that ran rustup which cargo and appended its dir to $GITHUB_PATH. Hosted macOS already has rustup + cargo on PATH; rustup show (kept) still materializes the pinned toolchain.
• Added a prettier install on the macOS CI job. make check → lint runs prettier --check . as a global binary (Makefile, no root package.json). The hosted macos-14 image ships Node/npm but no global prettier, so without this make check would fail. Pinned to prettier@3.8.4, the version baked into the rust-web-ci container, to keep macOS in lockstep with Linux.
• Refreshed the comments the runner swap made factually inaccurate (header blocks, inline ghost/ARC notes).

Release attestation (release.yml)

• Added attestations: write to the top-level permissions: (the existing id-token: write, already present for crates.io Trusted Publishing, is reused).
• Added a build-provenance step in the release job, after actions/download-artifact and before softprops/action-gh-release:

  - uses: actions/attest-build-provenance@v4
    with:
      subject-path: dist/themis-*.tar.gz

  Pinned to @v4 (the action's current major; latest release v4.1.0). The glob attests both platform tarballs and deliberately skips the .tar.gz.sha256 sidecars (no value attesting checksum files). Both archives land in dist/ via the existing download-artifact … merge-multiple: true step.

Out of scope (deliberately unchanged)

• crates.io publishing / OIDC, version-verify logic, artifact naming (downstream pkgbuilds + homebrew-tap parse these — see the release.yml "Release contract").
• The Makefile.
• No pull_request / fork-PR trigger added (separate tracked follow-up).
• docs.yml's private/public trigger comment block (see note below).

Verification

• ci.yml triggers on push (any branch), so pushing this branch runs CI on it — see the checks on this PR. The check job runs hosted in the rust-web-ci container; check-macos runs on hosted macos-14 and exercises the new prettier-install + make check path.
• docs.yml (triggers: push to main + dispatch) and release.yml (triggers: v* tags only) do not run on this PR branch — that's expected. docs.yml first runs on merge to main; the new attestation in release.yml first runs on the next v* tag. No tag is cut here.
• YAML parses for all three files; prettier --check is clean; the repo's pre-commit hook (prettier + full test suite) passed at commit time.

Note for the owner (pre-existing, unrelated to this change)

docs.yml has an active push: branches: [main] trigger (lines ~22-25) despite the header comment block saying the workflow is "kept manual while the repo is PRIVATE" and that the push block should stay commented "TO ACTIVATE AT THE PUBLIC FLIP." This inconsistency predates this PR and was left untouched per scope — flagging it so you can reconcile the comment with reality (the repo is public now and the trigger is live).

https://claude.ai/code/session_01U5qTPzFxSPun9VccwbLcCy