[ci] refactor: consolidate PR + release workflows; use validate-only

[ko3n1g]

Why

See the design discussion in NVIDIA-NeMo/FW-CI-templates#466.

What

• Delete .github/workflows/build-test-publish-wheel.yml.
• Rewrite .github/workflows/release.yaml as the single caller for both push and workflow_dispatch. validate-only derives from the trigger.

One pin to FW-CI-templates governs both paths. Bumping it on a PR rehearses the exact same code path that ships at release.

Trigger / mode matrix

Event	validate-only	dry-run	Effect
Push (PR / main / deploy-release)	true	n/a	Build + validate-wheel + bump compute + gh-release echo + docs build. No publish.
workflow_dispatch dry-run=true	false	true	Real bump branch + PR + cleanup. Wheel publish + GH release POST + docs publish all inert. Slack lands with dry-run prefix.
workflow_dispatch dry-run=false	false	false	Full release.

Test plan

• PR push (validate-only): https://github.com/NVIDIA-NeMo/Megatron-Bridge/actions/runs/25455441746 — dispatched 2026-05-06T19:06:47Z
• workflow_dispatch dry-run=true: https://github.com/NVIDIA-NeMo/Megatron-Bridge/actions/runs/25455468772 — dispatched 2026-05-06T19:07:22Z
• Real release via workflow_dispatch dry-run=false on the next planned RC.

Rollout

1. Land FW-CI-templates#466.
2. Cut FW-CI-templates v1.0.0.
3. Bump the SHA pin in this PR → tag.
4. Merge.

[claude]

nit: PR description says "Pinned to a SHA on the FW-CI-templates branch for iteration; will swap to a tagged release before merge." — flagging so this doesn't slip through. The old workflow pinned to v0.93.0; merging with a bare SHA makes future audits harder and bypasses any tag-level protection the templates repo may enforce.

[claude]

Looks good overall — the consolidation is well-motivated and the validate-only / dry-run separation is clean.

One item to resolve before merge:

• SHA pin on FW-CI-templates (inline comment): needs to be swapped to a tagged release as noted in the PR description.

Minor observations (no action needed unless you disagree):

• The old build-test-publish-wheel-summary had a dead SKIPPING_IS_ALLOWED check (shell var was never set). Good that the new release-summary drops it.
• cancel-in-progress is correctly gated to push events only, so manual workflow_dispatch releases won't get cancelled mid-flight.
• Container image bumped from 25.05-py3 → 25.11-py3 — assumed intentional.

Suggested test cases

No perf tests impacted.