feat: GitHub workflow–based release strategy (PAPI-4873)

[olivermeyer]

Why?
The previous release process used make bump to bump the version, create a git tag, and push all in one local step. This made it impossible to collect Ketryx compliance approvals before publishing, because the tag that triggers the CI/CD publish pipeline was created simultaneously with the version bump.

How?
Splits the release into three server-side GitHub Actions workflows triggered via gh workflow run:

• prepare-release.yml creates a release/vX.Y.Z branch and bumps version files (no tag yet)
  • This also triggers CI/CD, which pushes build reports to Ketryx
• publish-release.yml generates CHANGELOG.md, commits it, creates the annotated tag, and pushes
  • In future, at this point we will check that the Ketryx release has all required approvals before publishing
• merge-release.yml merges the release branch back into main and deletes it

[Copilot]

Pull request overview

Introduces a GitHub Actions–driven, multi-step release process to decouple version bumping from tagging/publishing, enabling Ketryx approvals to be collected before the publish-triggering tag is created.

Changes:

• Split release automation into three manual (workflow_dispatch) workflows: prepare release branch, publish/tag release, and merge release back to main.
• Removed local “bump + tag + push” automation (Makefile + nox) and updated bump-my-version config to stop tagging during bumps.
• Updated CI triggers to run on release/v* branches and refreshed contributor/docs guidance for the new release flow.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
pyproject.toml	Disables bump-my-version tagging and removes changelog hooks from the bump step.
noxfile.py	Removes the bump nox session that previously pushed tags.
Makefile	Adds prepare-release, publish-release, merge-release targets that trigger GH workflows via gh.
CONTRIBUTING.md	Documents the new phased release workflow and updated commands.
CLAUDE.md	Updates release/version bump documentation to the workflow-based approach.
.github/workflows/prepare-release.yml	New workflow to create release/vX.Y.Z and bump versions without tagging.
.github/workflows/publish-release.yml	New workflow to generate changelog, create annotated tag, and push (triggering publish pipeline).
.github/workflows/merge-release.yml	New workflow to merge release branch into main and delete it.
.github/workflows/ci-cd.yml	Extends CI to run on release/v* branch pushes and adjusts skip logic.
.github/CLAUDE.md	Updates CI/CD documentation to include the new release workflows and branch triggers.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 8 files with indirect coverage changes

[arne-aignx]

LGTM. As a start.

I checked the workflow on a high-level. The steps will act as expected.
Looking forward to verification for the next release.

An auditor would also look for an automated check as mentioned in the workflow. This should be the next step.