Add release workflow to automate gem publishing

[sinsoku]

Motivation / Background

I want to increase the release frequency by automating the gem release process.

Detail

Allow publishing a new version to RubyGems simply by merging a release PR.
tagpr handles release PR creation and tagging, and rubygems/release-gem pushes the gem.

Required setup (cc: @mame)

Several settings are required for this workflow to work.

• Enable "Allow GitHub Actions to create and approve pull requests"
  • in repository settings (Settings → Actions → General → Workflow permissions)
  • tagpr needs this to open the release PR
• Configure RubyGems Trusted Publisher
  • in typeprof settings
  • Repository owner: ruby
  • Repository name: typeprof
  • Workflow filename: release.yml
  • Environment: release
  • refs: https://guides.rubygems.org/trusted-publishing/

How the release flow works

1. When a commit is pushed to master, tagpr opens (or updates) a release PR
   titled something like Release for vX.Y.Z. The PR contains:
   • A version bump in lib/typeprof/version.rb
   • An updated Gemfile.lock (via postVersionCommand)
   • An auto-generated CHANGELOG.md entry summarizing merged PRs since
     the last release
2. The next version defaults to a patch bump. To bump minor/major, use either:
   • Label a merged PR with minor or major — tagpr will automatically
     propagate this to the release PR as tagpr:minor / tagpr:major, or
   • Label the release PR directly with tagpr:minor or tagpr:major
     to override / set the bump manually.
3. Merging the release PR causes tagpr to push a vX.Y.Z tag and create a
   GitHub Release.
4. The tag triggers rubygems/release-gem, which builds and pushes the gem
   to RubyGems via Trusted Publishing (no API key needed).

Examples

• Release for v1.18.3 Songmu/tagpr#347
• Release for v0.2.0 sinsoku/ruby-lsp-typeprof#3

[mame]

I checked the repository settings, and "Allow GitHub Actions to create and approve pull requests" appears to be disabled at the enterprise level. So I cannot enable it soon.
I can't tell whether this is intentional, so I'll discuss it with @hsbt after the holidays.

[sinsoku]

@mame
I investigated why this setting is disabled by default.
It seems to be to reduce the risk of malicious code being introduced by bypassing code reviews.

• https://github.blog/changelog/2022-05-03-github-actions-prevent-github-actions-from-creating-and-approving-pull-requests/
• https://best.openssf.org/SCM-BestPractices/github/actions/actions_can_approve_pull_requests.html

The impact is limited because tagpr only creates a release PR.
However, I'm hesitant to change the organization's settings for this workflow.

I'll consider if there's a better way.