Build release wheels on native ARM runner (drop QEMU); publish one GitHub release

[yokofly]

Follow-up to #71. CI improvement — same target artifacts (built natively
instead of under emulation), just faster and with a cleaner release flow. Not
urgent (0.3.0 already shipped); benefits the next release.

Speed: native ARM instead of QEMU

The release built aarch64 Linux wheels by emulating aarch64 on the single
x86_64 ubuntu-22.04 runner (the Set up QEMU step), making that leg take
~1h. This adds a native ubuntu-22.04-arm runner (free for public
repos) and sets [tool.cibuildwheel.linux] archs = "auto64" so each runner
builds only its native arch. QEMU step removed. Expected: ~10–15 min.
Wheels are functionally equivalent for the same target tags (not asserting
byte-for-byte equality). macOS unchanged (macos-14 builds arm64 natively +
cross-builds x86_64; no Intel mac runner exists anymore).

Structure: one GitHub-release job, decoupled from PyPI

Previously every matrix wheel job ran its own action-gh-release step — four
jobs racing to create/update the same release, each needing contents: write.
This moves it into a single publish-github-release job after the builds
that uploads the complete asset set (wheels + sdist) in one shot; builders
drop to contents: read. It's single-writer, not transactional — a
mid-upload failure can still leave a partial release (re-run to finish);
fail_on_unmatched_files: true guards against an empty glob.

Review-feedback decisions

• Release ↔ PyPI coupling: publish-github-release deliberately depends on
  [build_wheels, build_sdist], not publish-to-pypi, so a PyPI failure
  still leaves a downloadable GitHub release (artifact fallback). If the team
  prefers the invariant "a GitHub release means PyPI is live," flip it to
  needs: [publish-to-pypi] (or publish a draft first). Easy to change — say
  the word.
• PyPI auth: dropped the unused id-token: write from publish-to-pypi
  and corrected the misleading "trusted publishing" comment — it's token-based
  (PYPI_TOKEN). Migrating to real OIDC trusted publishing (no long-lived
  token, more secure) is worth doing but needs PyPI-side config, so it's left
  as a separate follow-up.

Validation

actions.yml parses; fail_on_unmatched_files confirmed a real @v2 input.
Jobs = build_wheels / build_sdist / publish-to-pypi / publish-github-release;
matrix = ubuntu-22.04, ubuntu-22.04-arm, windows-2022, macos-14. The native
ARM build + new release flow are only truly exercised by a workflow_dispatch
run, so the real proof comes at the next release.

🤖 Generated with Claude Code

[coveralls]

Coverage Report for CI Build 27528562816

Warning

No base build found for commit 6774dd4 on develop.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 94.387%

Details

• Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →

---

Coverage Stats

Relevant Lines:	3884
Covered Lines:	3666
Line Coverage:	94.39%
Coverage Strength:	12.44 hits per line

---

💛 - Coveralls