Add release bot workflow for trufflehog releases (trufflesecurity#4835)

Triggers on release publish events to run the release bot, which
generates release notes using GitHub, Jira, and AI services.

Adapted from the thog repo workflow with trufflehog-specific adjustments:
repository argument set to trufflehog, environment requirement removed
in favor of a repo-level secret, permissions restricted, and a fork
guard added for consistency with other trufflehog workflows.

Made-with: Cursor

Author: bryanbeverly

.github/workflows/release-bot.yml

@@ -0,0 +1,36 @@
+name: Run release bot
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  run:
+    if: ${{ github.repository == 'trufflesecurity/trufflehog' }}
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Login to GCP
+      id: auth
+      uses: "google-github-actions/auth@v2"
+      with:
+        credentials_json: ${{ secrets.GCP_SA_TRUFFLE_RELEASE_BOT }}
+
+    - name: Login to GAR
+      uses: docker/login-action@v3
+      with:
+        registry: us-central1-docker.pkg.dev
+        username: _json_key
+        password: ${{ secrets.GCP_SA_TRUFFLE_RELEASE_BOT }}
+
+    - name: Run release bot
+      env:
+        RELEASE_TAG: ${{ github.event.release.tag_name }}
+      run: |
+        docker run \
+        -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/GCP_SA_TRUFFLE_RELEASE_BOT.json \
+        -v ${{ steps.auth.outputs.credentials_file_path }}:/tmp/keys/GCP_SA_TRUFFLE_RELEASE_BOT.json:ro \
+        us-central1-docker.pkg.dev/truffle-release-bot/releases/bot:latest \
+        --repository trufflehog "$RELEASE_TAG"