[Hermes] Consolidate duplicate CI workflows, harden security, update actions

[Coding-Dev-Tools]

Summary

Consolidates the duplicate CI workflows (ci.yml + test.yml both ran on push/PR to master), hardens workflow security, and updates action versions to latest.

Why This Change

• Duplicate CI workflows: ci.yml and test.yml both triggered on push/PR to master, running the same test suite. This wastes CI minutes and creates confusion about which workflow is authoritative.
• Missing security hardening: All 3 checkout steps lacked persist-credentials: false, and ci.yml/test.yml had no top-level permissions block.
• Outdated action versions: checkout@v4 and setup-python@v5 are outdated (v6 available).
• Incomplete permissions: publish.yml had id-token:write but not contents:read.

What Changed

• Removed test.yml — its functionality is fully merged into ci.yml
• Expanded Python matrix: 3.11/3.12 → 3.10/3.11/3.12/3.13 (matches test.yml coverage)
• Added CLI check steps from test.yml (apiauth --version, --help, generate --help)
• Added persist-credentials: false to all checkout steps across ci.yml and publish.yml
• Added top-level permissions: contents: read to ci.yml
• Added contents: read to publish.yml permissions (alongside existing id-token: write)
• Updated actions: checkout@v4→v6, setup-python@v5→v6

Validation Performed

• 58/58 tests pass (python -m pytest tests/ -x -q)
• ruff check . passes clean
• Both YAML files validated (Python yaml.safe_load)
• No code changes — only workflow files modified

Risks/Rollback

• Low risk: only workflow YAML changes, no source code touched
• If CI breaks, revert this PR to restore original workflows
• The publish job's PYPI_API_TOKEN conditional is preserved as-is

Follow-ups

• Consider adding Python 3.13 classifier to pyproject.toml (already present)