fix(ci): use Commit App token for release finalize commit

[c-vigo]

Description

The release finalize job used the Release App token for vig-os/commit-action, but branch protection / rulesets treat that app differently than the Commit App. The workflow now generates a dedicated token from COMMIT_APP_ID / COMMIT_APP_PRIVATE_KEY (same pattern as prepare-release.yml) and passes it to commit-action as GH_TOKEN.

Type of Change

• feat -- New feature
• fix -- Bug fix
• docs -- Documentation only
• chore -- Maintenance task (deps, config, etc.)
• refactor -- Code restructuring (no behavior change)
• test -- Adding or updating tests
• ci -- CI/CD pipeline changes
• build -- Build system or dependency changes
• revert -- Reverts a previous commit
• style -- Code style (formatting, whitespace)

Modifiers

• Breaking change (!) -- This change breaks backward compatibility

Changes Made

• .github/workflows/release.yml — Add Generate Commit App Token step in the finalize job; wire commit-action GH_TOKEN to steps.commit-app-token.outputs.token instead of the Release App token.
• CHANGELOG.md — Document the fix under Unreleased / Fixed.
• assets/workspace/.devcontainer/CHANGELOG.md — Same changelog entry (mirrored).

Changelog Entry

Fixed

• Release finalize commit blocked by Release protection ruleset (#487)
  • Generate a dedicated Commit App token (COMMIT_APP_ID) for the commit-action step in the finalize job of release.yml, matching the pattern used by prepare-release.yml and other workflows; the previous Release App token lacked ruleset bypass

Testing

• Tests pass locally (just test)
• Manual testing performed (describe below)

Manual Testing Details

N/A — workflow-only change; verify on the next release run after merge.

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have updated the documentation accordingly (edit docs/templates/, then run just docs)
• I have updated CHANGELOG.md in the [Unreleased] section (and pasted the entry above)
• My changes generate no new warnings or errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes

Ensure repository secrets COMMIT_APP_ID and COMMIT_APP_PRIVATE_KEY are configured for the Commit App with the permissions needed to push to release/* per your ruleset design.

Refs: #487