ci: align release app token usage

[Boshen]

Summary

• remove the ineffective owner / repositories inputs from the release GitHub App token step
• match the same-repo GitHub App token usage used in oxc-project/oxc and oxc-project/unicode-id-start
• add workflow_dispatch so the release workflow can be manually retested after the GitHub App installation is fixed

Why

The failed run still reached GET /repos/rolldown/notify/installation and returned 404 even with owner and repositories set. The Oxc workflows use plain client-id + private-key for same-repo tokens; the remaining issue is the GitHub App installation or selected-repository access for rolldown/notify, not workflow token scoping.

Verification

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml"); puts "ok"'
• git diff --check -- .github/workflows/release.yml

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2151b0f5fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep GitHub App token scoped to required permissions

By removing the permission-contents and permission-pull-requests inputs from this actions/create-github-app-token step, the minted installation token now defaults to all permissions granted to the app installation, not just the two needed by release-plz. That expands the blast radius for every release run if a downstream action or script is compromised, and it is a security regression relative to the previous least-privilege configuration.

Useful? React with 👍 / 👎.