ci: sign the release PR commit with the bot GPG key

[xiaoyijun]

Summary

The branch ruleset requires verified signatures on every PR commit, but release-please creates its release PR commits through the REST API, which cannot produce GPG signatures — so release PRs (first hit: #245) are unmergeable. There is nothing to configure on the bot account for this: only git-CLI commits can be signed, and release-please has no signing support upstream.

logto-io/js does not have this problem because changesets/action commits via the git CLI with silverhand-bot's GPG key imported (crazy-max/ghaction-import-gpg + BOT_GPG_KEY / BOT_GPG_PASSPHRASE org secrets, both already visible to this repo).

This PR ports that setup: after release-please runs, when a release PR was created or updated (prs_created), the workflow checks out the release branch, imports the bot key, and git commit --amend --no-edit --gpg-sign + force-pushes — the commit keeps its author and message and becomes Verified. A guard skips amending when the head commit is already signed (e.g. re-signed by hand, like #245 just was), so checks are not re-triggered for nothing. Pushes use BOT_PAT so the PR's required status checks still trigger on the new SHA.

Also documents the step in RELEASE.md.

Note: the v2.x release workflow needs the same treatment before release: 2.0.3 (#260) can merge — mirror PR to follow.

Testing

• Verified BOT_GPG_KEY / BOT_GPG_PASSPHRASE are org secrets visible to this repo.
• The mechanism (amend + re-sign + force-push, author preserved) is exactly what unblocked release: 3.0.0-beta #245 manually today; this automates it with the bot's key.
• The js publish workflow has been producing Verified silverhand-bot commits with the same key/action for a long time.

Checklist

• .changeset (N/A — release-please)
• unit tests (N/A — workflow change)
• integration tests (N/A)
• necessary KDoc comments (N/A)

🤖 Generated with Claude Code