Create new release workflow

[nickclyde]

Summary

Implements #547. Adds a versioned release workflow so that bumping version in the root pyproject.toml and merging to main produces a vX.Y.Z git tag, three semver-tagged Lambda images on APHL ECR (and GHCR), a published GitHub Release with auto-generated notes, and a Slack notification.

Changes

• New .github/workflows/_build-and-push.yml - reusable workflow_call workflow that does a matrix build (index / ttc / augmentation), GHCR push, and APHL ECR retag+push. Shared between the dev and release flows.
• New .github/scripts/detect_version_bump.py - shared helper that parses old vs. new pyproject.toml [project].version with tomllib, validates strict X.Y.Z, and writes is_release / version / minor / major to $GITHUB_OUTPUT. Called from both the release and dev workflows.
• Rewritten .github/workflows/release.yml - triggers on push to main. Three jobs:
  • detect-release runs the shared script and, if a release was detected, tags the merge commit. The tag step is idempotent (if SHA is same it proceeds; if SHA is different it fails).
  • build invokes the reusable workflow with vX.Y.Z / vX.Y / vX / latest tags.
  • release creates the GitHub Release (generate_release_notes: true) with a fallback fetch for re-runs, then posts to Slack.
• Updated .github/workflows/docker-image-push.yml - adds a detect-bump gate (using the same shared script) so the dev flow skips release commits, and delegates the build to the reusable workflow. Schedule and workflow_dispatch triggers are preserved.
• Deleted dev_scripts/version_name.sh - pyproject.toml version is now the single source of truth; no callers remain.
• Rewritten docs/releases.md - Now describes the bump-version-and-merge flow, verification checklist, hotfix flow, and failure modes.

Notes for reviewers

• The release workflow does not rely on a tag-push retrigger (a GITHUB_TOKEN-pushed tag would not fire a downstream workflow). Everything happens in one workflow run.
• Tag set on each release per acceptance criteria: vX.Y.Z, vX.Y, vX, latest. The major/minor tags are mutable; only vX.Y.Z is immutable.
• First release will bump 0.1.0 → 0.2.0, producing tag v0.2.0.

Test plan

• Land this PR with no pyproject.toml version bump. Confirm: release workflow runs, detect-release outputs is_release=false, build and release jobs are skipped; docker-image-push.yml runs and pushes :latest + :main via the reusable workflow.
• Open follow-up PR bumping pyproject.toml version from 0.1.0 → 0.2.0. Merge. Confirm:
  • v0.2.0 tag exists on origin pointing at the merge commit
  • GHCR + APHL ECR each have index / ttc / augmentation with :v0.2.0, :v0.2, :v0, :latest
  • GitHub Releases page shows v0.2.0 published with auto-generated PR notes
  • Slack receives the release link
  • docker-image-push.yml build job is skipped on the release commit
• Re-run the release workflow on the same merge commit; confirm idempotent success (same-SHA tag collision is a no-op).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.03%. Comparing base (5475794) to head (acdc0f1).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #558   +/-   ##
=======================================
  Coverage   96.03%   96.03%           
=======================================
  Files          46       46           
  Lines        2368     2368           
=======================================
  Hits         2274     2274           
  Misses         94       94           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.