fix(release): use RELEASE_PAT for git pushes so promote+sync land on main

The Release workflow's auto-promote ([Unreleased] → [<version>] in
CHANGELOG.md) and auto-sync (package-lock.json on version drift) steps
both `git push origin HEAD:main` using the default GITHUB_TOKEN. That
fails against the "Require PR approval for main branch" ruleset:

    remote: error: GH013: Repository rule violations found for refs/heads/main.
    remote: - Changes must be made through a pull request.

The ruleset's bypass_actors only contains the Admin repo role. The
obvious fix — adding the GitHub Actions integration to bypass_actors —
is rejected by GitHub on user-owned (non-org) repos:

    Validation Failed: Actor GitHub Actions integration must be part
    of the ruleset source or owner organization.

So instead, authenticate the checkout (and therefore all downstream git
operations) as the maintainer via a fine-grained PAT. The PAT owner is
admin → bypasses the ruleset → push lands. Setup is one-time: create a
fine-grained PAT scoped to contents:write on this repo, add it as the
RELEASE_PAT secret. After that, future releases auto-promote cleanly.

Hidden the same way previously: 0.9.5's CHANGELOG was hand-promoted
before triggering Release, so the workflow's promote step short-
circuited on `git diff --quiet -- CHANGELOG.md` and never tried the
push. 0.9.5 also exposed the same bug in the lock-sync step — patched
manually after the fact in #440. 0.9.6 is the first release to actually
hit the bug.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/release.yml

@@ -29,6 +29,19 @@ jobs:
           # Default checkout is detached at a SHA; we need an actual branch
           # so the CHANGELOG-promote commit knows where to push.
           ref: ${{ github.ref }}
+          # Authenticate as the maintainer (admin), not as github-actions[bot].
+          # The "Require PR approval for main branch" ruleset only lets the
+          # Admin repo role bypass — and GitHub blocks adding the GitHub
+          # Actions integration to bypass_actors on user-owned (non-org)
+          # repos with "Actor GitHub Actions integration must be part of
+          # the ruleset source or owner organization." So the auto-promote
+          # and auto-sync `git push origin HEAD:main` steps below both fail
+          # under the default GITHUB_TOKEN. Using a fine-grained PAT owned
+          # by the admin makes the push go through cleanly. Set the
+          # RELEASE_PAT secret with: contents:write on this repo, no other
+          # scopes. Rotate per your token policy; the workflow only runs
+          # on manual dispatch so the blast radius is small.
+          token: ${{ secrets.RELEASE_PAT }}
       - uses: actions/setup-node@v6
         with:
           node-version: 22