Adding endpoint to list projects using CI staging

[andrewmusselman]

API to list PMCs approved for CI staging

Fixes #1151

Summary

New public endpoint GET /api/projects/ci-staging that returns projects configured for CI staging and committees that have evidence of CI usage.

Two signals are combined:

1. Configuration — projects with github_repository_name set in their release policy (returned as projects)
2. Evidence — committees with automated signing keys whose primary_declared_uid contains "Automated Release Signing" or "Services RM" (returned as evidence_committee_keys)

Consumers join on project.committee_key to determine which projects have both configuration and evidence.

Changes

• atr/models/api.py: Add CiStagingListResults response model
• atr/api/__init__.py: Add projects_ci_staging endpoint and AUTOMATED_KEY_PATTERNS / APACHE_ORG_RE constants

Design decisions

• Follows existing api.py conventions: Sequence[sql.Project] for projects, flat Sequence[str] for evidence keys, no custom sub-models
• Unauthenticated public endpoint, consistent with /projects/list and /committees/list
• Evidence query mirrors the sqlite3 approach used to generate the initial PMC list for CI onboarding
• Release policy is eagerly loaded so github_repository_name and github_repository_branch are available on each project without a second request

Testing

Added a key to atr.db and checked for a response:

$ sqlite3 state/database/atr.db "INSERT INTO publicsigningkey (fingerprint, algorithm, length, created, primary_declared_uid, secondary_declared_uids, ascii_armored_key) VALUES ('deadbeef01234567890123456789012345678901', 22, 256, '2026-01-01T00:00:00', 'Apache Test Automated Release Signing <test.apache.org>', '[]', '-----BEGIN PGP PUBLIC KEY BLOCK-----\ntest\n-----END PGP PUBLIC KEY BLOCK-----');"
Error: stepping, database is locked (5)
$ curl -k https://localhost:8080/api/projects/ci-staging | python3 -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0   3860      0 --:--:-- --:--:-- --:--:--  3925
{
    "endpoint": "/projects/ci-staging",
    "evidence_committee_keys": [
        "test"
    ],
    "projects": []
}

[sbp]

Could we call this projects/automated, projects/automatable, or projects/reproducible instead?

[dave2wave]

Consumers are the public and they won't be able to join our internal database. We should discuss this api more with the team