ci: use electron/semantic-trusted-release instead of npx (#127)

Replaces unpinned npx semantic-release with the org-standard
electron/semantic-trusted-release composite action. The previous
invocation fetched semantic-release@latest from the registry on
every release with publish credentials in scope.

The .releaserc.json already matches what secret-service-action
uses (commit-analyzer, release-notes-generator, github — all
bundled with semantic-release core), so no config changes needed.

Also:
- drops the redundant setup-node step (the composite action has its own)
- adds persist-credentials: false on checkout
- adds pull-requests/issues write permissions for release comments

Author: MarshallOfSound

.github/workflows/ci.yml

@@ -41,14 +41,15 @@ jobs:
     needs: test-typescript
     if: github.ref == 'refs/heads/main'
     permissions:
-      contents: write
+      contents: write # for making github release
+      pull-requests: write # for commenting release version
+      issues: write # for commenting release version
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          node-version: 20
-      - run: npx semantic-release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+      - name: Run semantic release
+        uses: electron/semantic-trusted-release@03517840010ba30fe5264f4875f4cff066b658d1 # v1.1.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}