fix: use RELEASE_TOKEN for auto-bump in release workflow

Uses RELEASE_TOKEN (a PAT with Contents write permission) to bypass
branch protection when auto-bumping the version.

Setup required:
1. Create a Fine-Grained PAT at GitHub Settings → Developer Settings → Personal Access Tokens
2. Grant it 'Contents: Read and write' permission for this repo
3. Add it as a repository secret named RELEASE_TOKEN

The workflow falls back to GITHUB_TOKEN if RELEASE_TOKEN is not set,
which will fail on protected branches but work on unprotected ones.

Author: rishitank

.github/workflows/release.yml

@@ -129,14 +129,15 @@ jobs:
           echo "should_release=false" >> $GITHUB_OUTPUT
 
   # Bump version in Cargo.toml if needed
+  # Uses RELEASE_TOKEN (PAT) to bypass branch protection, falls back to GITHUB_TOKEN
   bump-version:
     needs: check
     if: needs.check.outputs.should_release == 'true' && needs.check.outputs.needs_bump == 'true'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Update Cargo.toml version
         run: |
@@ -154,7 +155,7 @@ jobs:
           git commit -m "chore: bump version to $VERSION [skip ci]"
           git push
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN || secrets.GITHUB_TOKEN }}
 
   build:
     needs: [check, bump-version]