ci: release via GitHub App token (prereq for branch protection on main)

[bim-ba]

Why

We want main protected by required status checks so unformatted / unlinted / failing code can't land. But a branch-protection ruleset would reject python-semantic-release's release commit + tag push — and the default GITHUB_TOKEN cannot be granted a ruleset bypass (confirmed via GitHub REST docs + PSR docs: the default token is not a valid bypass actor; only a PAT or a GitHub App installation token can bypass).

This PR switches the release job to mint a short-lived GitHub App installation token (actions/create-github-app-token@v3.2.0) and use it for both actions/checkout and PSR's github_token. No long-lived PAT; PyPI upload stays on OIDC trusted publishing.

What changed

• release.yml: new Mint GitHub App token step; checkout + PSR now push as the App.

Required before this is effective — you create the App (I can't)

1. Create a GitHub App (Settings → Developer settings → GitHub Apps → New):
   • Repository permission Contents: Read and write (push commit/tag + create Release). Nothing else needed.
   • Install it on bim-ba/ycli.
2. Add two repo secrets (Settings → Secrets and variables → Actions):
   • RELEASE_APP_CLIENT_ID = the App's Client ID
   • RELEASE_APP_PRIVATE_KEY = the App's generated private key (full PEM)
3. Tell me the App's numeric App ID (shown on the App's settings page) — I need it for the ruleset bypass actor.

Rollout order (must be this order, or a release breaks)

1. ✅ This PR merged to main (a ci: change → no release triggered, so the new path isn't exercised yet — safe).
2. You create the App + add the two secrets.
3. I create the ruleset on main (required checks test (3.12) · test (3.13) · gitleaks; bypass = the App as Integration + repo admin).
4. The next feat:/fix: release exercises the App token + bypass — watch that first run; rollback = delete the ruleset.

🤖 Generated with Claude Code