fix: keep GITHUB_TOKEN/CODEBERG_TOKEN secrets in release vault action

formulas/release.sh still uses API tokens for mirror pushes. Add mounts
alongside secrets rather than replacing them, so both the .sh (token) and
.toml (SSH) formula paths work.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/release.sh

@@ -96,7 +96,7 @@ disinto_release() {
 id = "${id}"
 formula = "release"
 context = "Release ${version}"
-secrets = []
+secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]
 mounts = ["ssh"]
 EOF
 

vault/examples/release.toml

@@ -27,7 +27,7 @@
 id = "release-v120"
 formula = "release"
 context = "Release v1.2.0 — includes vault redesign, .profile system, architect agent"
-secrets = []
+secrets = ["GITHUB_TOKEN", "CODEBERG_TOKEN"]
 mounts = ["ssh"]
 
 # Optional: specify a larger model for complex release logic