ci: add cross-platform PyPI release workflow with OIDC publishing

Build platform-tagged, impure wheels (each bundling a GraalVM native binary
plus the JDK jmods it needs at runtime) across manylinux, musllinux, macOS,
and Windows, then publish via OIDC Trusted Publishing.

- release-pypi.yml: build-wheels matrix, sdist, GitHub Release on tag, and
  publish-pypi/publish-testpypi jobs gated on tag push or manual dispatch.
- Linux legs build inside manylinux_2_28 containers so wheel tags are correct
  by construction; musllinux legs build a fully-static --libc=musl binary.
- smoke-test.sh runs each wheel JVM-free (codajv --version plus a level-1
  source analysis that exercises the bundled jmods).
- setup-musl.sh provisions the musl toolchain + static zlib (experimental).
- build.gradle: emit a static musl binary when CODEANALYZER_NATIVE_MUSL=true.
- hatch_build.py: honor CODEANALYZER_WHEEL_PLATFORM to stamp the exact tag.

Author: rahlk

.github/scripts/setup-musl.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Best-effort musl cross toolchain + static zlib so GraalVM native-image can
+# produce a fully-static `--libc=musl` binary on a glibc (manylinux) host.
+# GraalVM can't run on Alpine, so the static binary is the only way to ship a
+# musllinux wheel. This leg is marked experimental in the workflow; failures
+# here should not be treated as a hard release blocker.
+#
+# Usage: setup-musl.sh <arch>   where arch is x64|x86_64 or aarch64|arm64
+set -euo pipefail
+
+ARCH="${1:-x64}"
+case "$ARCH" in
+  x64 | x86_64) MUSL_TRIPLE=x86_64-linux-musl ;;
+  aarch64 | arm64) MUSL_TRIPLE=aarch64-linux-musl ;;
+  *)
+    echo "setup-musl: unsupported arch '$ARCH'" >&2
+    exit 1
+    ;;
+esac
+
+PREFIX=/opt/musl
+mkdir -p "$PREFIX"
+
+toolchain_url="https://musl.cc/${MUSL_TRIPLE}-native.tgz"
+echo "setup-musl: downloading toolchain $toolchain_url"
+curl -fsSL "$toolchain_url" | tar -xz -C "$PREFIX" --strip-components=1
+
+export PATH="$PREFIX/bin:$PATH"
+echo "$PREFIX/bin" >> "$GITHUB_PATH"
+
+# native-image links libz statically; build it against the musl toolchain and
+# install into the toolchain prefix so the musl gcc finds libz.a / zlib.h.
+ZLIB_VERSION=1.3.1
+workdir="$(mktemp -d)"
+echo "setup-musl: building static zlib ${ZLIB_VERSION} with ${MUSL_TRIPLE}-gcc"
+curl -fsSL "https://zlib.net/zlib-${ZLIB_VERSION}.tar.gz" | tar -xz -C "$workdir" --strip-components=1
+(
+  cd "$workdir"
+  CC="${MUSL_TRIPLE}-gcc" ./configure --static --prefix="$PREFIX"
+  make -j"$(nproc)"
+  make install
+)
+
+echo "CC=${MUSL_TRIPLE}-gcc" >> "$GITHUB_ENV"
+echo "setup-musl: installed musl toolchain + static zlib under $PREFIX"

.github/scripts/smoke-test.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Install the freshly built wheel into a throwaway venv and exercise the
+# `codajv` entry point JVM-free: it must run the bundled native binary and
+# resolve JDK types from the bundled jmods (no JAVA_HOME required).
+#
+# Usage: smoke-test.sh [DIST_DIR]   (defaults to ./dist)
+# Honors $PYTHON to pick the interpreter that creates the venv.
+set -euo pipefail
+
+PYTHON="${PYTHON:-python3}"
+DIST_DIR="${1:-dist}"
+
+wheel=$(ls "$DIST_DIR"/*.whl 2>/dev/null | head -n1 || true)
+if [ -z "$wheel" ]; then
+  echo "smoke-test: no wheel found in '$DIST_DIR'" >&2
+  exit 1
+fi
+echo "smoke-test: testing $wheel"
+
+venv="$(mktemp -d)/venv"
+"$PYTHON" -m venv "$venv"
+if [ -x "$venv/bin/python" ]; then
+  vpy="$venv/bin/python"
+  vcodajv="$venv/bin/codajv"
+else
+  vpy="$venv/Scripts/python.exe"
+  vcodajv="$venv/Scripts/codajv.exe"
+fi
+
+"$vpy" -m pip install --upgrade pip >/dev/null
+"$vpy" -m pip install "$wheel"
+
+echo "smoke-test: codajv --version"
+"$vcodajv" --version
+
+echo "smoke-test: codajv -s (level-1 source analysis, exercises bundled jmods)"
+out="$("$vcodajv" -s 'public class Smoke { public int answer() { return 42; } }')"
+echo "$out" | head -c 2000
+echo
+if ! echo "$out" | grep -q 'Smoke'; then
+  echo "smoke-test: FAILED — expected class 'Smoke' in analysis output" >&2
+  exit 1
+fi
+echo "smoke-test: OK"