chore: CI Improvment

[jychp]

This PR updates the CI workflow to trigger on tag pushes instead of release publications. The release is now created automatically by the CI once a tag is pushed. This change enables us to enrich releases with additional metadata directly from the CI pipeline—such as SBOMs, signatures, and other artifacts.

While the modification may seem minor, it's a key step toward aligning with open-source best practices, including automated SBOM publishing and release signing.

You can find an example of generated release here: https://github.com/jychp/cartography-openapi/releases/tag/0.5.1

Updated CI Workflow:

• Push a SemVer tag

• Build and publish the Python package to PyPI

  • Now using a trusted publisher — no need to store a PyPI token in secrets
  • Enables release signing via attestations

• Build and push the Docker image to GHCR

• Automatically create the GitHub release

To trigger the pipeline:

git tag 1.2.3 && git push origin 1.2.3

Before merging this PR:

• [ ] Enable the trusted publisher on PyPI
• [ ] Set up a ruleset to restrict tag creation to a limited group of maintainers

---

Note: As recommended by the CNCF, it's a good time to start formalizing contributor roles. Proposed structure (based on CNCF’s contributor ladder.

• Contributor
• Reviewer (can approve PRs to merge into main)
• Publisher (can push tags and trigger releases)

This structure will help us scale governance as the project grows.

[jychp]

Will have to do some work for pre-release because:

• PEP 440 pre-releases are formated like M.m.prcX (cf. https://peps.python.org/pep-0440/#pre-releases)
• semver pre-releases are formated like M.m.p-rcX (cf. https://semver.org/#spec-item-9)

That's lead to error in CI: https://github.com/cartography-cncf/cartography/actions/runs/15298955744

[jychp]

Wait for https://github.com/cartography-cncf/cartography/pull/1642 to be merged