Fix release automation

[hluk]

Fixes waiting on builds - it should fail right away if some builds fail.

Fixes invalid GitHub Action reference.

Adds actionlint pre-commit hook to ensure the GitHub Actions are valid.

Assisted-by: Claude (Anthropic)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.29%. Comparing base (7ef3817) to head (53a82b8).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3547      +/-   ##
==========================================
- Coverage   81.05%   74.29%   -6.76%     
==========================================
  Files         246      252       +6     
  Lines       31677    37470    +5793     
  Branches        0     5078    +5078     
==========================================
+ Hits        25675    27840    +2165     
- Misses       6002     9630    +3628     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR tightens the release/CI automation by making release drafting fail fast on broken builds, fixing GitHub Actions references, and adding local validation tooling for workflow files.

Changes:

• Update draft-release.sh to watch CI build runs (and fail on build failure) instead of polling the release for artifacts.
• Harden GitHub Actions workflows (permissions, checkout creds, cache restore/save split, workspace path fixes, corrected action pin).
• Add pre-commit hooks (actionlint, zizmor) and align build/install directories (_install) with presets and .gitignore.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
utils/github/draft-release.sh	Switches from artifact polling to watching CI runs before proceeding with release drafting.
CMakePresets.json	Moves build/install dirs under ${sourceDir} and introduces _install for install outputs.
.pre-commit-config.yaml	Adds actionlint and zizmor hooks to validate workflows in pre-commit.
.gitignore	Ignores _install directory created by updated CMake presets/workflows.
.github/workflows/codespell.yml	Uses checkout with persist-credentials: false.
.github/workflows/build-windows.yml	Adds least-privilege permissions, fixes cache usage, aligns paths with presets, and updates artifact download pin.
.github/workflows/build-macos.yml	Adds least-privilege permissions, fixes cache usage, aligns paths with presets, and updates artifact download pin.
.github/workflows/build-linux.yml	Adds least-privilege permissions, aligns build/install paths with presets (_install).
.github/dependabot.yml	Adds update cooldown and groups GitHub Actions updates.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.