chore(ci): add artifact security scanning to release pipelines

[pkosiec]

Summary

• Add gh-action-scan to both release workflows (release.yml, release-lakebase.yml)
• Scan runs before git push — if scan fails, no tag is pushed and no npm publish happens
• Decouple npm publish from release-it's after:release hook into explicit workflow steps
• Uncomment push-to-main triggers for both release workflows
• Use release-it --ci --no-git.push --no-github.release to build + tag locally, then push + create GH release + publish only after scan passes

How it works

1. release-it runs full lifecycle (audit → bump → build → dist → sbom → commit → tag) but stops before pushing
2. gh-action-scan scans the built tmp/ directories
3. If scans pass: push tag, create GitHub release (with changelog notes), publish to npm
4. If scan fails: workflow fails, no tag pushed, no publish — clean state

Test plan

• Trigger dry-run release — scan/push/publish steps should be skipped
• Trigger real release — scan steps run before push, changelog notes extracted for GH release
• Verify security-scan-results-* artifacts are uploaded
• Verify npm publish succeeds after scan
• Verify local pnpm release still works (release-it config unchanged for push/release)