Add manual approval gate to release-production push-to-main

[oxoxDev]

Summary

release-production.yml uses a GitHub App token to push version-bump commits and tags directly to main, bypassing branch protection. Add operational hardening.

Problem / Context

Confirmed at .github/workflows/release-production.yml:

• L113: private-key: \${{ secrets.XGITHUB_APP_PRIVATE_KEY }}
• L170-181: git push origin main + git tag + git push origin "$TAG"

If the App private key leaked through a log, compromised action, or misconfigured runner, an attacker could push arbitrary commits to the default branch. CWE-250.

Identified by audit #2575 (H-3).

Scope

• Add a review-approval job gated by an environment: Release-Approval (with required reviewers) before the push step in the main_head path:

  review-approval:
    runs-on: ubuntu-latest
    environment: Release-Approval
    steps:
      - run: echo "Release approved"

• Document quarterly rotation of XGITHUB_APP_PRIVATE_KEY in docs/release.md (or equivalent).

• (Stretch) Move to a PR-based release flow where CI opens a PR that a human merges, rather than direct push.

Acceptance criteria

• review-approval job inserted before push step (main_head path)
• Release-Approval GitHub environment created with required reviewers
• Quarterly rotation runbook documented
• No regression to staging-tag promotion path
• Diff coverage ≥ 80%

Related

• Parent: Security Audit Report (HEAVY SECURITY ISSUES) — May 2026 #2575
• CWE-250 — Execution with Unnecessary Privileges