chore: hatchling/hatch-vcs dynamic versioning, release CI, Makefile, and dev docs

[H00N24]

Summary

Consolidate graphcore's CI into a single workflow and adopt uv-native publishing
to the Certora private PyPI (AWS CodeArtifact).

Changes

• Single CI workflow (.github/workflows/ci.yml) replacing pyright.yml,
  pytest.yml, and release.yml. Flow: build_package → tests → codeartifact_pypi_upload.
  • tests downloads the wheel artifact and installs it (uv pip install --force-reinstall --no-deps dist/*.whl),
    so CI exercises the built package, not editable source.
  • pytest and pyright run as steps in the tests job with if: success() || failure()
    so a failure in one doesn't skip the other.
  • Publish job runs only on push to main/master or v*.*.* tags, gated on tests passing.
• uv publish --index certora replaces uvx twine upload and the
  aws codeartifact get-repository-endpoint lookup. The publish/check URLs
  come from a new [[tool.uv.index]] block in pyproject.toml (with
  explicit = true, so public PyPI stays the default for resolution).
• Action pinning: every action pinned to a commit SHA with a trailing
  # vX.Y.Z comment.
• Dependabot (.github/dependabot.yml) added — weekly grouped bumps for
  GitHub Actions (keeps the SHA pins fresh).
• Permissions tightened to a global contents: read, with per-job grants
  (id-token: write for AWS OIDC, contents: write only for the release job).
• Makefile: added pytest and pyright targets running through uv run,
  so CI and local dev share the same entrypoints.
• README: added a "Developer auth" snippet with the bootstrap flow
  (uv tool install → certora-cloud login → codeartifacts login).
• Removed requirements.txt (duplicated uv.lock).

Potential future plans

• Adding Certora prefix to the package

More information about prefix etc https://github.com/Certora/certora-python-cookiecutter