revert: restore semantic-release in devDependencies

.github/dependabot.yml

@@ -12,19 +12,6 @@ updates:
         update-types:
           - minor
 
-  # Release tooling is isolated in .release/ so its transitive npm CLI
-  # bundled deps never surface at the root. We still want direct-dep
-  # updates (semantic-release, plugins) but must ignore transitives,
-  # since advisories inside `npm`'s bundled `node_modules/` cannot be
-  # updated by npm/Dependabot (the fix has to come from npm/cli itself,
-  # e.g. npm/cli#9194 → 11.13.0).
-  - package-ecosystem: npm
-    directory: /.release
-    schedule:
-      interval: weekly
-    allow:
-      - dependency-type: direct
-
   - package-ecosystem: github-actions
     directory: /
     schedule:

.github/workflows/release.yml

@@ -42,17 +42,10 @@ jobs:
 
       - run: npm run build
 
-      # semantic-release lives in its own .release/ package so its bundled
-      # transitive `npm` CLI (whose own vendored deps periodically surface
-      # advisories like brace-expansion and picomatch) never lands in the
-      # root `node_modules` or surfaces in `npm audit` at the repo root.
-      - name: Install release tooling
-        run: npm ci --prefix .release
-
       - name: Release
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: .release/node_modules/.bin/semantic-release
+        run: npx semantic-release
 
   docker:
     name: Publish Docker image