preparing for v1.0.0 pypi release

[krober10nd]

No description provided.

[Copilot]

Pull request overview

This PR prepares OceanMesh for its v1.0.0 PyPI release by introducing comprehensive CI/CD infrastructure for wheel building and publishing, refactoring build configuration to support multiple platforms, and improving code maintainability through function extraction and test simplification.

Key Changes:

• Introduces automated wheel building and PyPI publishing workflows for macOS (including Apple Silicon support)
• Refactors build system to use environment-based dependency detection instead of hardcoded paths
• Extracts large monolithic functions into smaller helper functions for better maintainability

Reviewed changes

Copilot reviewed 13 out of 16 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/ci.yml	New comprehensive CI workflow with tox tests, wheel building, and smoke tests
.github/workflows/publish.yml	Production PyPI publishing workflow triggered on version tags
.github/workflows/publish-testpypi.yml	TestPyPI publishing workflow for pre-release testing
tox.ini	Updated to test Python 3.10-3.13 and configure inpoly acceleration environment
setup.py	Refactored to support optional numpy/pybind11 and environment-based prefix detection
pyproject.toml	Added cibuildwheel configuration for cross-platform wheel building
tools/verify_manylinux_wheels.py	New verification tool for manylinux wheel compliance
tools/build_deps_linux.sh	New script to build GMP/MPFR dependencies for manylinux wheels
oceanmesh/mesh_generator.py	Refactored validation and mesh generation logic into smaller helper functions
oceanmesh/geodata.py	Extracted DEM reading logic and added xarray-based NetCDF subsetting fallback
tests/test_multiscale.py	Simplified tests to use assertions instead of visualization code
README.md	Updated installation instructions and examples for v1.0.0 release

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This script downloads and builds third-party code (gmp, mpfr) directly from external HTTPS URLs using curl and then compiles/installs it without any checksum or signature verification, which exposes the build to supply chain compromise if the remote server or network is tampered with. An attacker who can alter the tarball at ftp.gnu.org (or intercept traffic) could inject arbitrary code into the resulting libraries, which would then be linked into your binaries and executed with your process privileges. To mitigate this, pin downloads to verified artifacts by validating strong cryptographic checksums or signatures (e.g., GPG or SHA256 from a trusted channel) before extraction and build, and fail the script if verification does not match.

[Copilot]

The use of a predictable directory under /tmp (/tmp/build-${name}) combined with rm -rf "$workdir" introduces a symlink attack risk if this script is run with elevated privileges on a multi-user system. A local attacker can pre-create /tmp/build-gmp or /tmp/build-mpfr as a symlink to an arbitrary directory, causing this script to recursively delete that target when invoked as root, potentially leading to loss or tampering of critical system or application data. To harden this, construct a unique, attacker-uncontrolled build directory (for example by using a secure temporary directory mechanism) and avoid rm -rf on paths that can be influenced or pre-created by other users.

Suggested change

	workdir="/tmp/build-${name}"
	rm -rf "$workdir"
	mkdir -p "$workdir"
	pushd "$workdir" >/dev/null
	curl -fsSL "$url" -o "${name}-${version}.tar.xz"
	tar -xf "${name}-${version}.tar.xz"
	workdir="$(mktemp -d "/tmp/build-${name}.XXXXXX")"
	pushd "$workdir" >/dev/null
	curl -fsSL "$url" -o "${name}-${version}.tar.xz"
	tar -xf "${name}-${version}.tar.xz"
	tar -xf "${name}-${version}.tar.xz"