feat: release workflow with SHA256 checksums + fix Python CI

[Spinulosa1111]

Summary

• release.yml — New workflow triggered on v*.*.* tags: builds the CLI with Bun, packages a release ZIP, computes a checksums.sha256 file with sha256sum, and uploads both as GitHub Release assets. Completes the integrity story end-to-end (the CLI already verifies magic bytes and logs SHA256 on download).
• python-package-conda.yml — Replaced broken Conda workflow (depended on environment.yml that doesn't exist) with a clean pytest runner scoped to scripts/** changes on main and PRs.

Test plan

• Push a v2.5.1 tag → confirm release is created with a .zip and checksums.sha256 asset
• sha256sum -c checksums.sha256 against the downloaded ZIP should print OK
• Open a PR touching src/ui-ux-pro-max/scripts/ → Python CI job runs and passes

[mrgoonie]

Summary: This adds a tag-triggered release workflow and replaces the broken Conda workflow with a pytest workflow. The release direction is useful for the npm/release gap, but this version is not safe to merge because the new Python workflow points at a test directory that does not exist on main.

Risk level: Medium

Mandatory gates:

• Duplicate/prior implementation: overlap found with the release/package queue (#348, #353), but this PR covers a distinct release workflow piece.
• Project standards: checked current workflow/package layout; no existing release workflow is present.
• Strategic necessity: clear value, because #353 shows the project needs a reliable release path.
• CI/checks: missing/not run on this PR.

Findings:

• Important: .github/workflows/python-package-conda.yml now runs python -m pytest src/ui-ux-pro-max/scripts/tests/ -v, but current main has no src/ui-ux-pro-max/scripts/tests/ directory or pytest config. That means any PR touching src/ui-ux-pro-max/scripts/** will fail with “file or directory not found” instead of giving useful validation. Either add the tests in this PR, point the workflow at an existing test path, or keep the workflow disabled until the test harness exists.
• Important: .github/workflows/release.yml packages the whole repository after building cli, but excludes every dist path (--exclude "*/dist/*"). Because cli/package.json exposes dist/index.js as the executable and the release step just built cli/dist, the generated release ZIP likely omits the built CLI binary. The release artifact should include the files users/installers need, or explicitly package from a staged directory after verifying the expected contents.

Verdict: REQUEST_CHANGES

[ia-abatista]

Recommend closing, @mrgoonie. The release workflow and npm publish path are superseded by merged #375 (semantic-release) and #384 (npm publish).

[mrgoonie]

Cron maintainer follow-up: closing this PR as superseded rather than keeping it in the review queue.nnEvidence:n- The release automation path has already landed via #375 (semantic-release) and #384 (npm publish on release).n- Current main also includes later release/install fixes and tags through v2.8.5, including #387 for installing all seven skills.n- This PR is still merge-conflicted (mergeStateStatus=DIRTY) and its original release workflow/checksum approach is no longer the active source of truth.nnDecision: closed / superseded. If anything from this branch is still needed, please reopen as a narrow PR against current main with a specific gap not covered by #375/#384/#387.