ci: enable merge queue and release environment approval gate (#97)

Add merge_group trigger to ci.yaml so CI runs when PRs enter the merge
queue. The merge queue is configured in the new main-branch-protection
ruleset (replaces legacy branch protection rules) with squash merging,
ALLGREEN grouping, and 1-min wait before merging singles.

Add environment: release to the release workflow. The release environment
requires approval from @SebTardif before the release job can proceed,
preventing accidental tag pushes from triggering unreviewed releases.
Deployment is restricted to v* tags.

Ruleset and environment were created via API in this session:
- Ruleset ID 16941636 (main-branch-protection)
- Environment: release (required reviewer: SebTardif, tag policy: v*)

Closes #75
Closes #61
Closes #67

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/ci.yaml

@@ -5,6 +5,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  merge_group: {}
   workflow_dispatch: {}
 
 permissions:

.github/workflows/release.yaml

@@ -23,6 +23,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    environment: release
     permissions:
       contents: write
       packages: write