ci: add figma-release workflow (paired-tag binary publishing)

[nsaini-figma]

Summary

Adds .github/workflows/figma-release.yml. On push of any statsig-go/v*-figma* tag, the workflow cross-builds libstatsig_ffi.so for linux-gnu/x86_64 and publishes the paired binaries-linux-gnu/v*-figma* tag pointing at a release-only commit that drops the freshly-built .so into the binaries-linux-gnu/ skeleton.

Why

This fork carries bug fixes that haven't landed upstream yet (including the exposure-dedupe memory leak in PR statsig-io#47). Consumers pull the rebuilt binary via go.mod replace against the fork's binaries-linux-gnu module. This workflow is the automation that produces those release artifacts: a source tag triggers a cross-build, and the resulting .so is committed and tagged atomically as a paired Go-module version.

What changed

• New file .github/workflows/figma-release.yml, one job.
• Build command runs at workspace root with -p statsig_ffi (matches upstream's tools/docker/build_x86_64-unknown-linux-gnu.sh); the cdylib is in statsig-ffi/, not statsig-rust/.

Invariants worth calling out

• Paired-tag construction. A statsig-go/X source tag triggers an exact binaries-linux-gnu/X paired tag, atomically in the same CI run. The source tag is the human-driven action; the paired tag is the workflow's deterministic output.
• No branch pollution. The release commit is reachable only via the paired tag (no branch pointer). Source-fork main is untouched.
• `go.sum` integrity downstream. Consumers' `go.sum` records the content hash of the binaries-module tag, detecting post-publish tampering.

Prerequisites BEFORE merging this PR

• PR binaries-linux-gnu: add Go-module skeleton #3 (binaries-module skeleton) is merged. The workflow expects `binaries-linux-gnu/go.mod` plus `binaries-linux-gnu/linux_gnu_x86_64.go` to exist on the source-tag's commit so the `cp` of the `.so` lands on a valid module shape.
• PR exposure_sampling: bound dedupe set with LRU + configurable cap #4 (the exposure_sampling LRU fix) is merged. Otherwise the rebuilt `.so` won't carry the fix.
• Workflow permissions in repo Settings allow `contents: write` (admin-only, flagged in PR binaries-linux-gnu: add Go-module skeleton #3's PR description).
• Tag protection in repo Settings does not block `binaries-linux-gnu/v*-figma*` pushes from `GITHUB_TOKEN`.

Steps to take AFTER merging this PR (manual)

1. Confirm all three prereqs above are met.
2. Cut the first source tag:
   ```sh
   git checkout main && git pull
   git tag statsig-go/v0.19.4-figma1
   git push origin statsig-go/v0.19.4-figma1
   ```
3. Watch the workflow run in the Actions tab. Should complete in roughly 3 to 5 minutes (cross-build dominates).
4. Verify the paired tag landed:
   ```sh
   git ls-remote https://github.com/figma/statsig-server-core
   refs/tags/statsig-go/v0.19.4-figma1
   refs/tags/binaries-linux-gnu/v0.19.4-figma1
   ```
5. Verify Go-module resolution:
   ```sh
   GOMODCACHE=$(mktemp -d) GOPROXY=direct go mod download -x
   github.com/figma/statsig-server-core/statsig-go@v0.19.4-figma1
   github.com/figma/statsig-server-core/binaries-linux-gnu@v0.19.4-figma1
   ```

Test plan

• Workflow YAML lints or passes `actionlint` (no syntax errors).
• `Cross.toml` at repo root exists (confirmed).
• cdylib output filename in the `cp` line matches `statsig-ffi/Cargo.toml`'s `[lib]` section (confirmed: `libstatsig_ffi.so`).
• Dry-run the workflow logic against a hypothetical tag push.

Follow-up

• `cross` is installed from `master` (`cargo install cross --git ...`). Pinning to a release tag would be safer; currently the workflow inherits any upstream regression. Track as a follow-up if reliability matters.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com