ci: audit runtime deps only in publish workflow

[KhaledSalhab-Develeap]

Summary

The 1.6.0 publish run failed at the pip-audit step on two CVEs in pip itself, even though pip is not a runtime dependency of the published hyperping wheel.

The root cause: pip-audit was scanning the whole venv (which uv sync populates with build/dev tooling, including pip) instead of the runtime closure users actually install. So a CVE in CI tooling blocked a release on a package that doesn't ship that tool.

This PR switches the publish-time audit to operate on a freshly exported runtime-only requirements file:

- name: Audit runtime dependencies
  run: |
    uv export --no-dev --no-emit-project --no-hashes \
      --format requirements.txt -o /tmp/runtime-requirements.txt
    uv run pip-audit -r /tmp/runtime-requirements.txt

That audits exactly what pip install hyperping resolves to. No CVE IDs are ignored: when the audit is green it's because the runtime closure is genuinely clean.

Local verification

$ uv export --no-dev --no-emit-project --no-hashes \
    --format requirements.txt -o /tmp/req.txt
$ uv run pip-audit -r /tmp/req.txt
No known vulnerabilities found

Out of scope

ci.yml's audit step is continue-on-error: true and is unaffected. Tightening it the same way is a sensible follow-up.

Release follow-up

After merge, delete and recreate the v1.6.0 tag pointing at the merge commit so the publish workflow runs against the fixed file. No PyPI artifact was published in the failed run, so retagging is safe.

Test plan

• Local audit on exported runtime deps reports zero vulnerabilities
• Re-tagged v1.6.0 triggers a green publish-to-PyPI run