[Task] Harden the release workflow with approval and concurrency gates

[ashleyshaw]

Build/CI Summary

The current release workflow can still race, and the live publish path is too easy to reach without a strong workflow-level gate.

Steps / Checklist

• Add workflow concurrency so only one release run can execute at a time
• Separate dry-run from live publish more explicitly in the workflow inputs and execution path
• Require an approved environment or equivalent gate for live release publishing
• Add a final pre-tag verification step that checks release state before mutation

Acceptance Criteria

• Two release runs cannot race
• Live publish requires the approved workflow gate
• Dry-run still works without publishing anything
• The workflow checks the release state immediately before tagging

Additional Context

• Source pack: .github/projects/active/release-agent-hardening/
• Proposal spec: openspec-strict/children/01-2-task-workflow-hardening-and-approval-gates.md

References

• CONTRIBUTING.md
• ISSUE_TYPES.md
• LightSpeed General Instructions

Definition of Ready (DoR)

• Build/CI goal and scope defined
• Checklist prepared
• Estimate added

Definition of Done (DoD)

• All checklist and acceptance criteria completed
• Documentation/changelog updated
• Approved by maintainer

[linear-code]

LS-923