Bug: Release-file API accepts new HTTP python.org URLs

[e-q]

Describe the bug

Authenticated release-file writes accept new http://www.python.org/... values
for artifact and sidecar URL fields. Older release rows may still contain HTTP
URLs, but new or changed release-file metadata should use HTTPS.

To Reproduce

1. In a local python.org development environment, submit an authenticated v1 or
   v2 release-file API write with:
   • url: http://www.python.org/ftp/python/3.14.0/Python-3.14.0.tgz
2. Observe that the API accepts the row.
3. Repeat with a sidecar field such as gpg_signature_file using an HTTP URL
   and observe that the write is accepted as well.

Expected behavior

New or changed release-file URL values should begin with
https://www.python.org/. Existing legacy HTTP rows should remain editable for
unrelated metadata until a separate data cleanup can convert or remove them.

Additional context

Authenticated v1/v2 release_file POSTs with http://www.python.org URLs
returned 201 before the patch.

The database constraint currently allows http://www.python.org/... to preserve
older release data. This can be handled at the validation layer for new writes
without requiring a data migration in the same change.

[linear-code]

PYORG-2985