Harden release artifact gates

[sameer2191]

Summary

• mirror CI package gates in the release verification job before package creation
• verify SHA-256 checksums before release artifact upload and again after artifact download before attestation/publish
• make the GitHub security release gate fail closed when actionable alert endpoints are unavailable
• add a regression test with injected GitHub API responses for the fail-closed path

Validation

• npm run verify
• node --test --experimental-sqlite dist/tests/security-fixes.test.js
• npm run test:skip-gate
• npm run package:check
• npm run installer:audit
• npm pack --dry-run
• npm run audit:prod
• npm run release:security-gate
• npm run release:codeql-gate
• ruby YAML parse for .github/workflows/*.yml
• temp release rehearsal: npm pack, npm sbom, sha256sum manifest, sha256sum --check
• git diff --check
• rg recruiter/career wording scan returned no matches

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ac005bfb6c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a fully authorized token before failing closed

When this release gate runs in .github/workflows/release.yml, it is still passed ${{ github.token }} with only security-events: read; GitHub's workflow permission docs say security-events covers code-scanning alerts, Dependabot requires vulnerability-alerts: read, and secret-scanning alerts require a GitHub App or PAT. Because this new branch now fails on any 403/404 unavailable endpoint, tag releases will exit 1 on the Dependabot or secret-scanning checks even when there are no actionable alerts, blocking publishing rather than verifying the alert state.

Useful? React with 👍 / 👎.