ci: add OSPO branch protection and environment-scoped workflows

[jung-thomas]

Adds repo ruleset on main (PR + CI test check required, blocks force-push and deletion, admin bypass). Wires publishing/secret-using workflows to GitHub Environments: release.yml -> release, sign-windows.yml + release-tray.yml -> signing (required reviewer), news-sync.yml -> news-sync. Documents the new approval gate in the CLAUDE.md release section.

Follow-up (manual): scope SIGNPATH_* secrets to the signing environment and YOUTUBE_API_KEY to the news-sync environment.

[jung-thomas]

Superseded by a follow-up PR that addresses the actual OSPO findings (deadline 16 June 2026):

• Adds the three flagged controls: dismiss_stale_reviews_on_push, require_last_push_approval, required_review_thread_resolution.
• Uses bypass_mode: pull_request instead of always for the admin bypass — admins can skip the new review/resolution checks for emergency merges, but the 1-approval rule still applies (narrower Control 5 regression).

Closing this in favor of the new PR.

[qmacro]

For the branch protection (GitHub Hardening Control 5) you could, as an alternative, just add this repo to the list in this ruleset (see the email I sent the other day).