Harden Monad release CI

[haythemsellami]

Summary

• Ports the high-priority upstream release hardening into the Monad branch: Depot runners, locked cargo invocations, dist release profile, draft releases, archive checksums, and binary/archive attestation subjects.
• Adds CI coverage for --no-default-features, locked doc/clippy/crate checks, and shellcheck coverage for foundryup scripts.
• Adds no-network foundryup tests for version comparison, platform detection, stable-monad, and v*.*.*-monad-v*.*.* asset naming.
• Keeps Monad-specific release tags and asset names intact while aligning the release workflow shape with upstream/master.

Validation

• ./foundryup/test.sh
• bash -n foundryup/foundryup foundryup/test.sh .github/scripts/shellcheck.sh
• Ruby YAML parse for .github/workflows/ci.yml, .github/workflows/test.yml, .github/workflows/release.yml
• python3 .github/scripts/matrices.py
• EVENT_NAME=pull_request python3 .github/scripts/matrices.py
• CARGO_TARGET_DIR=/tmp/foundry-monad-crates-target cargo check --locked -p foundry-evm-hardforks -p foundry-evm-networks -p foundry-evm-traces -p foundry-evm-core -p foundry-cheatcodes -p anvil
• CARGO_TARGET_DIR=/tmp/foundry-no-default-target cargo check --workspace --no-default-features --locked

Notes

• Local ./.github/scripts/shellcheck.sh could not be fully executed because shellcheck is not installed in this environment; the wrapper itself parses cleanly and CI should execute it on the runner.
• Stable Monad releases remain draft releases for manual review/publish.
• SBOM/cosign additions were not ported in this branch; this keeps the scope to the CI/release hardening points discussed for the Monad release path.