ci: protect future release branches via ASF rulesets

[Yicong-Huang]

What changes were proposed in this PR?

Add an ASF .asf.yaml ruleset to protect future release/* branches.

We use github.rulesets here because protected_branches in ASF .asf.yaml requires explicit branch names, while rulesets can cover future release branches with release/*.

This ruleset is intended to mirror main by requiring:

• pull requests
• linear history
• 1 approving review
• the same required CI checks as main
• no force-push
• no branch deletion

Any related issues, documentation, discussions?

Closes #4579

How was this PR tested?

• Validated .asf.yaml parses as YAML locally.
• Created an equivalent native GitHub ruleset in my fork: ruleset #15794451
• Verified the ruleset applies to release/*: branch rule evaluation
• Verified a direct push to a protected release/* branch was rejected.
• Verified branch deletion on a protected release/* branch was rejected.
• Re-ran the test with the exact required CI list from latest origin/main. When pushing a full-tree release/* branch, GitHub rejected it with 10 of 10 required status checks are expected, which confirms the required-check set is being enforced.
• Test PR in fork: Yicong-Huang/texera#3

Was this PR authored or co-authored using generative AI tooling?

Generated-by: OpenAI Codex GPT-5

[aglinxinyuan]

LGTM!