ci: fix warnings and improve publish-python github workflow

[mg-twentyone]

Description

This PR transitions the pypi deployment workflow to a fully modern, warning-free configuration optimized for current GitHub Actions standards.
It upgrades to trusted publishing (OIDC) authentication, clears Node.js deprecation warnings (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), and ensures robust artifact management across a multi-platform compilation matrix.

Fixes #38

Notes to the reviewers

Key updates implemented in the .github/workflows/publish-python.yaml workflow:

• Trusted Publishing Activation: Migrated the deployment step away from insecure API tokens (user: token) to modern OIDC (OpenID Connect) Trusted Publishing using the pypi environment, explicit id-token: write permissions, and automated SLSA provenance attestations (artifact-metadata: write).

• Node.js Runner Upgrade: Bumped all core workflow dependencies (actions/checkout@v6, actions/upload-artifact@v7, and actions/download-artifact@v8) to remove impending Node.js runner deprecation blocks. FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true has been added to force runners using Node24 ahead of time (deprecation date scheduled for June 2nd, 2026).

• Matrix Artifact Flattening: Integrated merge-multiple: true on the final artifact download stage. This eliminates pathing errors (dist/*/ vs dist/) caused by divergent directory generation across the platform runners (manylinux, macos, windows).

• Cache Corruption Fix: Bound enable-cache: false onto astral-sh/setup-uv@v7 steps to proactively bypass systemic Cache entry deserialization failed warning loops during high-concurrency jobs.

TODO (for repo owner)

Add a Trusted Publisher to PyPI project. (here the support docs link: https://docs.pypi.org/trusted-publishers/adding-a-publisher/).
Set the following values:

• Project Name (required): bdkpython

• Owner (required): bitcoindevkit

• Repository name (required): bdk-python

• Workflow name (required): publish-python.yaml

• Environment name (optional): pypi (value included in the workflow)

Checklists

All Submissions:

• I've signed all my commits
• I followed the contribution guidelines
• I ran cargo fmt and cargo clippy before committing

New Features:

• I've added tests for the new feature
• I've added docs for the new feature

Bugfixes:

• This pull request breaks the existing API
• I've added tests to reproduce the issue which are now passing
• I'm linking the issue being fixed by this PR

[thunderbiscuit]

Thanks for this! I'll need to make sure I understand how the new PyPI stuff works and the credentials and all but if it's all good then it should be a nice upgrade to our publishing flow.

[mg-twentyone]

Feel free to reach me if you need further information or details.

[reez]

ACK c9ab5b1

This looks good to me overall, the trusted publishing setup is scoped to publish job, artifact flattening matches download artifact behavior, action refs resolve.

[thunderbiscuit]

Just a few questions!

Also this one needs a rebase now.

[thunderbiscuit]

Awesome thanks! ACK 8f5b131.