ci: replace bump-version with explicit Release workflow + concurrency guard

[glifocat]

Type of Change

• Feature skill - adds a channel or integration (source code changes + SKILL.md)
• Utility skill - adds a standalone tool (code files in .claude/skills/<name>/, no source changes)
• Operational/container skill - adds a workflow or agent skill (SKILL.md only, no source changes)
• Fix - bug fix or security fix to source code
• Simplification - reduces or simplifies source code
• Documentation - docs, README, or CONTRIBUTING changes only

Description

Replaces the path-triggered bump-version.yml with an explicit workflow_dispatch Release workflow that produces a verified tag and a populated Releases-tab entry in one run. Also adds a main-write-back concurrency group to serialize against update-tokens.yml, removing the race the old setup had.

What this fixes

1. No Release entries. bump-version.yml pushed lightweight tags but never created GitHub Release entries, so the Releases tab has been empty.
2. Race with update-tokens.yml. Both workflows push to main; without serialization they can clobber each other's commits or fail mid-push.
3. No pre-release verification. Tags could be cut against red CI, against a commit with no CHANGELOG entry, or with no curated release notes.

Files

• NEW .github/workflows/release.yml — manual release workflow with three pre-release gates (CI-green, version-compute, CHANGELOG-present), CHANGELOG-section extraction, annotated tag push, and gh release create with --generate-notes to append a Contributors section.
• EDIT .github/workflows/update-tokens.yml — adds concurrency: { group: main-write-back, cancel-in-progress: false } so it can't collide with releases.
• DELETE .github/workflows/bump-version.yml — replaced by the manual workflow.

Pre-release gates (fail-closed)

1. CI green — queries check-runs for HEAD; fails on any failure, cancelled, or timed_out conclusion.
2. Version compute — pnpm version <bump> --no-git-tag-version updates package.json only, so we can read the new version before committing anything. Reversible at this point.
3. CHANGELOG present — grep for ## [<version>]; fails if missing. Forces the maintainer to write release notes before hitting Run, not after.

Release-note assembly

awk extracts the section between ## [<version>] and the next ## [ heading. That file is passed to gh release create --notes-file; --generate-notes appends the auto-generated "New Contributors" + "Full Changelog" section.

Notes

• Switches to annotated tags (git tag -a) so each release carries its own metadata commit. Matches what pnpm version does locally.
• Explicit permissions: contents: write on the job so future least-privilege audits don't have to infer.
• --verify-tag guards the unlikely case where the tag push silently failed.
• Both workflows use the corrected if: github.repository == 'nanocoai/nanoclaw' guard. (Depends on / supersedes the urgent guard-fix PR.)

What's NOT addressed (deliberate)

• No asset uploads. nanoclaw is clone-and-setup; no binaries.
• No pre-release/beta channel. Easy to add later via inputs.prerelease: boolean + --prerelease.
• No commit/tag signing. Layer on later with a GPG-equipped action.
• No auto-generated CHANGELOG. Maintainer still writes the entry by hand — by design; the workflow just verifies it's there.

Testing

• Run the workflow once on a test commit with a stale CHANGELOG to confirm Gate 3 trips.
• Run on a commit with red CI to confirm Gate 1 trips.
• Run on a clean commit with CHANGELOG present and verify both the tag and the Releases entry appear.
• Trigger update-tokens and release near-simultaneously and confirm the second waits on the concurrency lock.