ci: fix release pipeline — update actions, add GH releases, extend CI triggers

[trek-e]

Summary

Closes #1955

• Update actions/checkout (v4.2.2 → v6.0.2) and actions/setup-node (v4.1.0 → v6.3.0) in release.yml and hotfix.yml — prevents Node.js 20 deprecation breakage after June 2, 2026
• Add gh release create steps to release RC, release finalize, and hotfix finalize — populates GitHub Releases page automatically
• Extend test.yml push triggers to release/** and hotfix/** branches
• Extend security-scan.yml PR triggers to release/** and hotfix/** branches

MAINTAINER MERGE ONLY

This PR requires manual repo admin steps before the release pipeline will fully work. These code changes are necessary but not sufficient — the blocker is a repo setting, not code.

Post-Merge Admin Checklist

After merging this PR, the repo admin must complete these steps:

• Settings → Actions → General → Workflow permissions: Check "Allow GitHub Actions to create and approve pull requests" — this is the root cause of all finalize failures (GraphQL: GitHub Actions is not permitted to create or approve pull requests)
• Settings → Branches (or Rules → Rulesets): Add main branch protection — require PR, require status checks (test, security, check-issue-link), block force push
• Settings → Environments → npm-publish: Add required reviewer (trek-e), set deployment branch policy to release/*, hotfix/*, main
• Settings → Environments → npm-publish → Secrets: Add NPM_TOKEN as environment secret
• Settings → Secrets → Repository secrets: Delete repo-level NPM_TOKEN (after environment secret is confirmed working)
• Actions → Release → Run workflow: Re-run finalize for version 1.34.0 (never published due to PR permission blocker)
• Actions → Hotfix Release → Run workflow: Re-run finalize for version 1.33.1 (never published due to PR permission blocker)
• Delete stale remote branches: release/1.34.0, hotfix/1.33.1

Full analysis: CI-CD-PIPELINE-REPORT.md in repo root (not committed — local reference only).

Test plan

• Full test suite passes locally (npm run test:coverage — 2700+ tests, all green)
• CI passes on this PR (test matrix, security scan, PR gate)
• After admin checklist: dry-run release finalize with dry_run: true
• After admin checklist: dry-run hotfix finalize with dry_run: true

🤖 Generated with Claude Code

[trek-e]

Review — ci: fix release pipeline

All checks pass. The changes are correct and complete.

Action version pins

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd — verified as the lightweight commit SHA for v6.0.2 via GitHub API. Correct.
• actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f — verified as the lightweight commit SHA for v6.3.0 via GitHub API. Correct.

GitHub Release steps

• hotfix finalize: creates v${VERSION} (hotfix) release with --generate-notes. Correct.
• release rc: creates v${PRE_VERSION} pre-release with --generate-notes --prerelease. Correct.
• release finalize: creates v${VERSION} release with --generate-notes --latest. Correct — --latest is appropriate for stable releases only.
• All three steps are gated on ${{ !inputs.dry_run }} — dry_run mode is clean.
• GH_TOKEN: ${{ github.token }} is bound via env: — no shell injection vector.

CI trigger extensions

Adding release/** and hotfix/** to test.yml push triggers and security-scan.yml PR triggers is correct — these branches must have CI coverage during their active development window.

No issues found. Ready to merge.

[trek-e]

Ready to merge — 2026-04-10

All CI checks pass (test matrix Ubuntu/macOS × Node 22/24, security scan, PR gate, issue link, branch name). The diff is clean:

• Action version bumps use pinned SHAs with version comments — correct pattern
• gh release create steps use GH_TOKEN: ${{ github.token }} and are guarded by if: ${{ !inputs.dry_run }} — correct
• --generate-notes on releases is safe and appropriate
• test.yml and security-scan.yml trigger extensions to release/** and hotfix/** are correctly scoped

No new issues found. This is pending maintainer merge only. The post-merge admin checklist in the PR body (repo permissions, environment secrets, branch protection) must be completed before the release pipeline will fully function.