ci: automate releases with release-it + GitHub Action

[JumpLink]

Summary

Replaces the fully manual release flow (yarn bump:* + local yarn publish:*) with an automated setup modeled on the gjsify monorepo:

• release-it orchestrates version bump, CHANGELOG generation (conventional commits), git tag v${version}, commit chore: release v${version}, and GitHub Release — all from one yarn release[:patch|:minor|:major] command.
• @release-it/bumper syncs the new version across every workspace package.json (packages/*, infra/*, vendor/*, backend/*, demos/*, examples/*/*).
• New GitHub Action .github/workflows/release.yml triggers on release: published, runs check:all + build:libs + test, then publishes all non-private workspaces via yarn workspaces foreach ... npm publish --tag latest. NPM_TOKEN stays a repo secret — no more publishing from developer laptops.
• Release-it config requires branch main and a clean working tree (guardrails).
• .yarnrc.yml gains a packageExtension for @conventional-changelog/git-client to resolve a PnP peer-dependency chain issue.

Replaces

• Root scripts bump:prerelease / bump:patch|minor|major, publish:next / publish:latest → release, release:patch, release:minor, release:major, release:dry

Required before first use

• Add NPM_TOKEN as a repository secret (npm Automation Token). Without it the publish step fails.
• Merge this PR into main, then run yarn release:patch (or :minor/:major) from main.

Test plan

• yarn install resolves with new release-it devDependencies
• yarn release:dry (with guards bypassed for verification only) shows correct version bump, CHANGELOG preview, and git tag plan
• After merge: set NPM_TOKEN repo secret
• First real release from main: yarn release:patch → verify GitHub Release created, Action triggered, packages appear on npm with latest tag
• Confirm CHANGELOG.md generated at repo root on first release