ci: harden and improve GitHub Actions workflows

[PabloPardoGarcia]

Security:

• Pin all third-party actions to immutable commit SHAs
• Add permissions: {} at workflow level with explicit per-job grants
• Migrate PyPI publishing to OIDC trusted publishing (remove PYPI_API_TOKEN)

Correctness:

• Fix version-bump to read base version from main, preventing double-bumps when labels change mid-PR
• Fix label evaluation to check all PR labels (not just triggering event) and pick highest impact (major > minor > patch)
• Reverse tag/publish order in release: tag first, then publish to PyPI
• Add VERSION format validation before arithmetic in version-bump
• Add twine check before PyPI upload

Reliability:

• Add concurrency groups to all workflows (cancel-in-progress where safe)
• Move coverage badge commit to dedicated post-matrix job to eliminate race condition with parallel matrix runners
• Eliminate duplicate pytest run on Python 3.13 (single pass with all reports)
• Fix shell injection vectors: pass GitHub context via env: not inline

New:

• Add smoke.yml: fast test run on every push to main to catch merge-induced regressions before the next release

[github-actions]

Test Coverage Report

File	Stmts	Miss	Cover	Missing
etl
__init__.py	5	0	100%
api_client.py	64	5	92%	70–73, 123
client.py	39	4	89%	59–61, 141
dlq.py	41	1	97%	70
errors.py	28	0	100%
pipeline.py	146	7	95%	334–337, 350, 406–407
tracking.py	26	0	100%
utils.py	11	11	0%	1, 3, 6, 8–11, 17–18, 22, 28
etl/models
__init__.py	12	0	100%
base.py	10	4	60%	7–10
config.py	34	6	82%	30–35
data_types.py	80	0	100%
filter.py	15	1	93%	16
join.py	49	1	97%	44
metadata.py	4	0	100%
pipeline.py	116	7	93%	160, 186, 189, 221–224
resources.py	120	37	69%	31, 72–78, 88–95, 125–132, 142, 144–150, 167, 169, 172–174
schema.py	26	0	100%
sink.py	59	6	89%	33, 39, 47, 49, 53, 55
source.py	130	6	95%	47, 51, 68, 81, 127, 153
stateless_transformation.py	44	7	84%	44, 48, 52, 57, 69, 71, 73
TOTAL	1059	103	90%