Add GitHub Actions release workflow with Trusted Publisher (facebookresearch#121)

Summary:
Pull Request resolved: facebookresearch#121

## Problem
PrivacyGuard has no automated PyPI publishing workflow. Publishing requires manual package builds and API token management.

## Solution
Add a GitHub Actions release workflow using PyPI Trusted Publishers (OIDC-based authentication, no API tokens needed).

### New: `.github/workflows/release.yml`
- Triggers on GitHub Release publish or manual `workflow_dispatch`
- Runs the full test suite before building (reuses `reusable_test.yml`)
- Builds sdist + wheel via `python -m build`
- Publishes to PyPI using `pypa/gh-action-pypi-publish` with OIDC Trusted Publisher auth
- Requires a `pypi` GitHub environment (for optional approval gating)

### Modified: `pyproject.toml`
- Enabled `setuptools_scm` (was commented out) so package version is derived from git tags automatically
- Removed the unused `write_to` option — version is resolved at build time without generating a `version.py`

## Setup required before first use
1. **PyPI**: Register a pending Trusted Publisher at pypi.org -> Account -> Publishing:
   - PyPI project name: `PrivacyGuard`
   - Owner: `facebookresearch`
   - Repository: `PrivacyGuard`
   - Workflow: `release.yml`
   - Environment: `pypi`
2. **GitHub**: Create a `pypi` environment in repo Settings -> Environments (optionally add required reviewers)
3. **To publish**: Create a GitHub Release with a version tag (e.g., `v0.1.0`) — the workflow runs automatically

Reviewed By: iden-kalemaj

Differential Revision: D98518834

fbshipit-source-id: 1d0c37ab97d4b42007fc7db4a13901e92c31ac01

Author: mgrange1998

.github/workflows/release.yml

@@ -0,0 +1,55 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  tests:
+    name: Run tests before publish
+    uses: ./.github/workflows/reusable_test.yml
+    secrets: inherit
+
+  build:
+    name: Build distribution
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build sdist and wheel
+        run: python -m build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

pyproject.toml

@@ -93,9 +93,8 @@ find = {}
 [tool.setuptools.package-data]
 "*" = ["*.js", "*.css", "*.html"]
 
-#[tool.setuptools_scm]
-#write_to = "privacy_guard/version.py"
-#local_scheme = "node-and-date"
+[tool.setuptools_scm]
+local_scheme = "node-and-date"
 
 [tool.usort]
 first_party_detection = false