Support immutable releases

[martincostello]

Refactor CI/CD processes to support using immutable releases.

The process is now:

1. Run release.yml, which creates a GPG-signed tag
2. build.yml runs, attaching the NuGet packages and SBOM to a draft release for the tag, which have their checksums computed and are GPG signed with .sig files attached
3. The release is published
4. The NuGet packages and published to NuGet.org
5. The version is bumped and a PR opened

Also adds support for GPG sign commits for costellobot.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.59%. Comparing base (7510ef2) to head (e27195e).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1102   +/-   ##
=======================================
  Coverage   98.59%   98.59%           
=======================================
  Files          16       16           
  Lines         284      284           
  Branches       37       37           
=======================================
  Hits          280      280           
  Misses          2        2           
  Partials        2        2           

Flag	Coverage Δ
linux	98.59% <ø> (+0.70%)	⬆️
macos	98.59% <ø> (ø)
windows	98.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Copilot]

Pull request overview

This PR refactors the CI/CD pipeline to support immutable releases with GPG signing. The new workflow creates a GPG-signed tag via release.yml, builds and signs packages in build.yml with checksums and GPG signatures attached to a draft release, then publishes the release and packages to NuGet.org via publish.yml, followed by version bumping through bump-version.yml. The changes also add GPG commit signing support for the costellobot automation account.

Key Changes

• Replaced inline release creation in release.yml with GPG-signed tag creation only
• Introduced new publish.yml workflow to handle NuGet package publishing after release publication with signature verification
• Modified build.yml to create draft releases with GPG-signed assets and checksums, moving NuGet publishing to the separate workflow

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
.github/workflows/release.yml	Refactored to create GPG-signed tags with optional branch/version inputs instead of directly creating releases
.github/workflows/publish.yml	New workflow for publishing verified and GPG-signed packages to NuGet.org after release publication
.github/workflows/build.yml	Modified to create draft releases with GPG-signed assets and checksums, removed direct NuGet publishing
.github/workflows/bump-version.yml	Added GPG commit signing support and logic to handle version bumps from published releases
.github/workflows/lint.yml	Removed explicit branch restrictions for pull_request trigger
.github/workflows/dependency-review.yml	Removed explicit branch restrictions for pull_request trigger
.github/workflows/codeql.yml	Removed explicit branch restrictions for pull_request trigger

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.