ci: add release workflows

[ovitrif]

Related: #953
Supersedes: #867 (closed as outdated in favor of #953)

This PR:

1. Adds protected release workflows for signed mainnet store and internal artifacts.
2. Adds debug-only Firebase placeholders so fresh clones can build debug variants without private Firebase files.
3. Adds a WalletScrutiny-oriented reproducible release workflow, local reproduction script, and documentation.

Description

The core change is adding release and release-internal GitHub Actions workflows. Both workflows build signed mainnet release artifacts from protected environment secrets. release keeps both APK and AAB outputs for Play/GitHub release handling, while release-internal produces the mainnet APK signed with the internal keystore.

The reproducibility support adds a Reproducible Release workflow and scripts/reproduce-release.sh to build bundleMainnetRelease, recreate APK splits with bundletool, extract arm64-v8a native libraries, and upload checksum evidence. The new documentation explains how this relates to WalletScrutiny issue #953 and captures the currently known native library mappings.

GitHub Actions setup:

• Created the release and release-internal GitHub environments for the protected release workflows.
• Required release environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • BITKIT_KEYSTORE_BASE64,
  • BITKIT_KEYSTORE_PASSWORD,
  • BITKIT_KEY_ALIAS, and
  • BITKIT_KEY_PASSWORD.
• Required release-internal environment secrets:
  • MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64,
  • INTERNAL_KEYSTORE_BASE64,
  • INTERNAL_KEYSTORE_PASSWORD,
  • INTERNAL_KEY_ALIAS, and
  • INTERNAL_KEY_PASSWORD.

These will be added AFTER the PR is approved.

Remaining upstream work for #953:

• Make bitkit-core-android / Rust-native AAR builds reproducible upstream.
• Pin Rust toolchain, Android NDK, Cargo.lock, build paths, SOURCE_DATE_EPOCH, path remapping, stripping, and published native .so checksums.
• Continue investigating third-party native outputs from androidx.datastore:datastore-core and net.java.dev.jna:jna with diffoscope evidence.

Preview

N/A

QA Notes

Manual Tests

N/A

Automated Checks

• bash -n scripts/reproduce-release.sh
• YAML parse for .github/workflows/release.yml, .github/workflows/release-internal.yml, and .github/workflows/reproducible-release.yml
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/reproducible-release.yml .github/workflows/release.yml .github/workflows/release-internal.yml
• Workflow behavior must be verified in GitHub Actions (after merge).

[ben-kaufman]

The default bundletool_url points at Maven Central, but this artifact returns 404 there:

https://repo1.maven.org/maven2/com/android/tools/build/bundletool/1.18.1/bundletool-1.18.1.jar

A fresh run without BUNDLETOOL_JAR fails in download_bundletool before creating the APK set. Could we switch it to the Google Maven URL instead?

https://dl.google.com/dl/android/maven2/com/android/tools/build/bundletool/1.18.1/bundletool-1.18.1.jar

[ben-kaufman]

These debug Firebase paths are tracked placeholder files, so replacing them with real configs makes Git show secret-bearing changes. Could we document a safe local workflow, or adjust the config strategy so real Firebase files stay ignored?