🔒 fix(ci): split release workflow for proper credential scoping (#160)

The post-release PR step fails with `fatal: could not read Username`
because `persist-credentials: false` was added by the zizmor security
audit (#154), but the step needs `git push` access via `RELEASE_TOKEN`.

Split the release workflow into two jobs. The `publish` job keeps
`persist-credentials: false` since it only needs to build and publish.
The `post-release` job also uses `persist-credentials: false` but
configures git auth via `remote set-url` scoped to the single step that
needs push access, with `RELEASE_TOKEN` protected by the `release`
environment.

The changelog patching is replicated in the post-release job so the
version bump PR includes the updated `CHANGELOG.md`.

Author: gaborbernat