Replace PowerShell release script with bash

The release script no longer publishes to NuGet directly. Instead,
publishing is handled by the release.yml GitHub Actions workflow
using trusted publishing.

Also adds plan.md with manual setup instructions for the GitHub
environment and NuGet.org trusted publishing policy.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: oschwald

README.dev.md

@@ -1,4 +1,6 @@
-To publish the to NuGet:
+## Releasing
 
-1. Update release notes.
-2. Run `.\dev-bin\release.ps1`.
+1. Create a release branch from main.
+2. Update `releasenotes.md` with the version and today's date.
+3. Run `./dev-bin/release.sh`.
+4. Approve the release in the GitHub Actions workflow (requires `nuget` environment approval).

dev-bin/release.ps1

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Check that we're not on the main branch
+current_branch=$(git branch --show-current)
+if [ "$current_branch" = "main" ]; then
+    echo "Error: Releases should not be done directly on the main branch."
+    echo "Please create a release branch and run this script from there."
+    exit 1
+fi
+
+# Fetch latest changes and check that we're not behind origin/main
+echo "Fetching from origin..."
+git fetch origin
+
+if ! git merge-base --is-ancestor origin/main HEAD; then
+    echo "Error: Current branch is behind origin/main."
+    echo "Please merge or rebase with origin/main before releasing."
+    exit 1
+fi
+
+changelog=$(cat releasenotes.md)
+
+regex='([0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?) \(([0-9]{4}-[0-9]{2}-[0-9]{2})\)'
+
+if [[ ! $changelog =~ $regex ]]; then
+    echo "Could not find version/date in releasenotes.md!"
+    exit 1
+fi
+
+version="${BASH_REMATCH[1]}"
+date="${BASH_REMATCH[3]}"
+
+if [[ "$date" != "$(date +"%Y-%m-%d")" ]]; then
+    echo "$date is not today!"
+    exit 1
+fi
+
+tag="v$version"
+
+if [ -n "$(git status --porcelain)" ]; then
+    echo ". is not clean." >&2
+    exit 1
+fi
+
+# Update version in csproj
+sed -i "s|<VersionPrefix>[^<]*</VersionPrefix>|<VersionPrefix>$version</VersionPrefix>|" MaxMind.Db/MaxMind.Db.csproj
+
+# Build and test
+dotnet build -c Release
+dotnet test -c Release
+
+echo $'\nDiff:'
+git diff
+
+read -e -p "Commit changes and create release? (y/n) " should_continue
+
+if [ "$should_continue" != "y" ]; then
+    echo "Aborting"
+    exit 1
+fi
+
+git commit -m "Prepare for $version" -a
+
+git push
+
+gh release create --target "$(git branch --show-current)" -t "$version" "$tag"

dev-bin/release.sh

@@ -0,0 +1,36 @@
+# NuGet Trusted Publishing Setup
+
+This document describes the manual setup required to enable NuGet trusted publishing.
+
+## 1. Create GitHub Environment with Approval
+
+1. Go to repository **Settings → Environments**
+2. Click **New environment**
+3. Name it `nuget`
+4. Configure protection rules:
+   - Check **Required reviewers**
+   - Add appropriate team members or individuals who can approve releases
+   - Optionally set **Wait timer** (e.g., 5 minutes) for additional safety
+5. Click **Save protection rules**
+
+## 2. Create NuGet.org Trusted Publishing Policy
+
+1. Log into nuget.org with the `maxmind` organization account
+2. Navigate to **Account → Trusted Publishing**
+3. Click **Add trusted publishing policy**
+4. Configure the policy:
+   - **Repository Owner**: `maxmind`
+   - **Repository**: `MaxMind-DB-Reader-dotnet`
+   - **Workflow File**: `release.yml`
+   - **Environment**: `nuget`
+5. Select `maxmind` as the package owner
+6. Save the policy
+
+Note: The policy will be in "pending" state until the first successful publish, then becomes permanently active.
+
+## Security Benefits
+
+- No long-lived NuGet API keys stored in GitHub secrets
+- OIDC tokens are short-lived (~1 hour) and single-use
+- Environment protection rules provide approval workflow before publishing
+- Clear audit trail of who approved each release