ci(release-plz): switch to RELEASE_PLZ_TOKEN PAT to trigger downstream workflows

The default GITHUB_TOKEN cannot fire downstream workflows when it
pushes tags or commits, which is why the maturin PyPI wheel build did
not run when release-plz tagged sqlshield-py-v0.0.1. Switch the
checkout token and release-plz GITHUB_TOKEN env to a PAT so the tag
push is authenticated as a real user and triggers the tag-listening
CI workflow.

ACTION REQUIRED: Add a new repo secret named `RELEASE_PLZ_TOKEN` with
a PAT (classic or fine-grained) granting:
  - contents: write
  - pull_requests: write
on this repository.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: davidsmfreire

.github/workflows/release-plz.yml

@@ -18,9 +18,17 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          # Use the PAT for checkout too so subsequent pushes (tags,
+          # release commits) are authenticated as the PAT owner and
+          # trigger downstream workflows like the maturin CI build.
+          token: ${{ secrets.RELEASE_PLZ_TOKEN }}
       - uses: dtolnay/rust-toolchain@stable
       - name: release-plz
         uses: MarcoIeni/release-plz-action@v0.5
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # PAT with `contents: write` and `pull_requests: write`. The
+          # default GITHUB_TOKEN cannot trigger downstream workflows
+          # (e.g. tag-driven PyPI wheel builds), so release-plz must
+          # push tags using a PAT instead.
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}