ci: add OSPO branch protection and environment-scoped workflows

[jung-thomas]

Summary

Implements OSPO requirements for main branch protection and secret-handling workflow protection.

• Ruleset main-protection (already created via API, JSON spec checked in at .github/rulesets/main-protection.json): requires PR + CI test check, blocks force-push and deletion, admin bypass enabled.
• Three GitHub Environments (already created via API):
  • release — release.yml runs here
  • signing — release-tray.yml and sign-windows.yml run here, requires manual approval from a repo admin (currently jung-thomas)
  • news-sync — news-sync.yml runs here
• Workflows updated with environment: declarations on the relevant jobs.
• CLAUDE.md release-pipeline section updated to document the approval gate.

Test plan

• Verify the PR cannot be merged without the CI test check passing
• Confirm the main-protection ruleset is visible at https://github.com/SAP-samples/sap-devs-cli/rules
• After merge, verify environments at https://github.com/SAP-samples/sap-devs-cli/settings/environments
• Manual follow-up: scope SIGNPATH_* secrets to signing environment and YOUTUBE_API_KEY to news-sync environment (currently inherited from org level)
• First release after merge: sign-windows.yml will pause for required-reviewer approval — verify the notification flow works end-to-end

Notes

• This is the first PR exercising the new protection rules; if anything is misconfigured, this PR is where it'll surface.
• Tag protection was intentionally not added at the repo level — the SAP-samples org already enforces tag immutability, and a repo-level tag ruleset would conflict with release.yml pushing tags via GITHUB_TOKEN (see CLAUDE.md release section).