ci(release): gate release-trigger on the release environment (#3003)

* ci(release): gate release-trigger on the release environment

Add environment: release to the dispatch job that calls the reusable
release-dispatch.yml workflow. GitHub's deployment protection runs
before any of the reusable workflow's jobs start, so the prepare step
(which creates tags) requires manual approval.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* ci(release): gate release-trigger via intermediate approve job

environment: release cannot be used on a job that calls a reusable
workflow (uses:). Instead, add an explicit approve job that holds the
environment gate; the dispatch job depends on it, so the reusable
workflow's prepare step (which creates tags) cannot run until a
reviewer approves the deployment.

Remove the previously-added environment: release from the dispatch
job (invalid) and the inner environment: release from release-dispatch.yml
(redundant — a single gate is sufficient).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: dkirov-dd

.github/workflows/release-trigger.yml

@@ -48,9 +48,17 @@ jobs:
             echo "is-stable-release=false" >> "$GITHUB_OUTPUT"
           fi
 
+  approve:
+    name: Await release approval
+    needs: context
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - run: echo "Release approved"
+
   dispatch:
     name: Release
-    needs: context
+    needs: [context, approve]
     uses: DataDog/integrations-core/.github/workflows/release-dispatch.yml@master
     with:
       source-repo: integrations-extras