Publish packages from GitHub releases

[eric-tramel]

What

Move plugin package publication from tag-push events to explicit GitHub Release publication events.

The publish workflow now runs when a GitHub Release is published, gates the job to release tags shaped like data-designer-*/vX.Y.Z, validates the exact <plugin-package>/vX.Y.Z semver shape, checks out the release tag, and keeps the existing package validation/build/upload/Page deploy flow.

It also removes the custom CODEOWNERS membership check from the publish job. Publishing the GitHub Release is now the maintainer authorization boundary, so team CODEOWNER membership does not have to be reimplemented with a token that can read org membership.

Why

The previous tag-push workflow failed for team CODEOWNERS because GITHUB_TOKEN cannot reliably resolve org team membership. That made the custom guard weaker than the actual GitHub permission model and blocked valid releases by members of CODEOWNER teams.

Using an explicit GitHub Release event gives us a clearer release action and avoids duplicating GitHub's CODEOWNER/team authorization logic in shell.

Usage

After make release creates the tag:

git push origin data-designer-my-plugin/v0.2.0
gh release create data-designer-my-plugin/v0.2.0 \
  --title "data-designer-my-plugin v0.2.0" \
  --notes "Release data-designer-my-plugin v0.2.0" \
  --latest=false

For the already-pushed data-designer-retrieval-sdg/v0.1.0 tag, once this lands on main, publishing that GitHub Release should trigger the package publish workflow.

Validation

• Parsed .github/workflows/publish.yml with PyYAML and asserted the release trigger and removed CODEOWNERS step.
• make docs
• make check