ci: scope release gate to the CI workflow run (not all check-runs)

[clemenshelm]

Problem

The publish workflow's ci-gate ("Verify CI passed") inspected every github-actions check-run on the release commit and failed if any was not completed/success. GitHub's own "Dependabot Updates" recompute posts a Dependabot check-run (app.slug: github-actions) that sits in_progress right after a dev-deps PR merges to main — so the gate failed and the release did not publish even though all real CI checks were green. This blocked the v0.13.0 release on 2026-06-16 (workaround: wait for the Dependabot run to finish, then re-run publish).

Fix

Gate only on this repo's CI workflow (ci.yml) run for the commit, via actions/workflows/ci.yml/runs?head_sha=…, and require its status == completed && conclusion == success. The CI run's conclusion is success only when every CI job (Node matrix, Security audit, …) passed, so it's the authoritative signal — and it structurally excludes the unrelated Dependabot check-run.

• Still fails when a real CI job fails (the run conclusion is failure/cancelled).
• Still fails if no CI run exists for the commit (can't verify → don't publish).
• Passes when CI is green regardless of a Dependabot check being in_progress.

Workflow-only change; CI on this PR (src lint/typecheck/test) is unaffected. The gate itself only runs on release: published, so it can't be exercised pre-merge — verified by reasoning + the API shape.