feat: auto merge-to-main, bump-version workflow, and branch locking

[Copilot]

The release-to-main promotion was manual and error-prone, with no way to determine which release/** branch is "latest" without scanning all of them. Additionally, there was no automated way to start a new major/minor version cycle or enforce push restrictions on protected branches.

merge-to-main (automatic)

• Added merge-to-main job to release.yml, runs only on release/** after GitHub Release is created
• Finds the highest release/** branch via git ls-remote | sort -V | tail -1
• Normalizes both versions to M.m before comparing — only the latest branch triggers a PR to main
• Skips silently with a step summary note if not the latest (e.g. hotfix on an older branch)

bump-version workflow

• New workflow_dispatch workflow (bump-type: minor | major), must run from main
• Auto-detects current version from highest release/** branch; calculates next M.m
• Creates develop/M.m from main
• Major bump: resets all PublicAPI.Shipped.txt and PublicAPI.Unshipped.txt to #nullable enable — fresh API surface for breaking-change cycles
• Minor bump: preserves API files — existing shipped API remains the baseline

Branch locking

• New composite actions: branch-protection/lock (sets PR-required + no force-push + no deletions via GitHub API) and branch-protection/unlock (removes protection)
• promote-branch.yml now locks newly created preview/** and release/** branches immediately after the initial push
• Added administration: write permission to promote-branch.yml

promote-branch source-branch enforcement

• Previously, any develop/** or support/** branch could be promoted directly to release/**
• Now validates per promotion type: preview ← develop/**/support/**; release ← preview/** only