build(config): gate release job behind release environment

[Michael Price (michael-pr)]

Overview of Changes

NPM_TOKEN exists only as an environment secret on the release environment, so the release job must declare environment: release for changeset publish to authenticate — without it the publish step receives an empty token and v1.0.0 fails npm auth. Gating the job also pauses every release run for required-reviewer approval, which is the exfiltration barrier for the token. Rides along WIZ-10818's tidy-up: ci.yml and release.yml now use the same actions/checkout v6.0.3 pin as release-binaries.yml.

Testing

grep -A2 "^  release:" .github/workflows/release.yml   # shows environment: release
grep -c df4cb1c0 .github/workflows/ci.yml .github/workflows/release.yml  # 1 each, no v4 pins remain

After merge, the release run on main waits for environment approval; approving it should refresh the Version Packages PR branch and, once that PR merges, publish 1.0.0 with the injected token.

Checklist

• Changes follow the code style of this project
• Self-review completed
• Tests added/updated (or not applicable)
• No breaking changes (or described below)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 45f10c6a-6e7e-4af6-b448-951c92b7cc55

📥 Commits

Reviewing files that changed from the base of the PR and between e2b6f15 and b03ee52.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

---

Walkthrough

This pull request upgrades the pinned actions/checkout GitHub Action from v4 to v6.0.3 in both the CI and release workflows. The release workflow additionally specifies environment: release on the release job. These are configuration-only changes with no impact to application logic or exported APIs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood ('gate'), is specific about the change (release job gating), concise at 58 characters, and includes a conventional-commit style prefix (build(config):).
Description check	✅ Passed	Description includes all required sections (Overview of Changes, Testing, Checklist) with concrete details, testing steps, and completed checklist items.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}