ci: harden workflow release guards

[antonio-orionus]

Summary

• make CI default to read-only repository permissions
• prevent release publishing jobs from running on non-tag manual dispatches
• verify release metadata before auto-tagging and rely on the tag push to trigger release once

Validation

• go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 -color=false .github/workflows/*.yml
• pnpm verify:release -- --tag v0.1.3
• pnpm lint
• pre-push hook

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD security by restricting token permissions to minimum required access levels.
  • Improved release verification process with additional validation before tagging.
  • Refined release workflow to ensure publishing only occurs on valid Git tag triggers, preventing unintended deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: cd4457b7-37fa-48f9-b0c1-431cf62080e5

📥 Commits

Reviewing files that changed from the base of the PR and between af069d9 and 0c0954b.

📒 Files selected for processing (3)

• .github/workflows/auto-tag.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

Three GitHub Actions workflows are updated to improve security and release automation control. Workflow token permissions are restricted to least-privilege levels. Release publishing steps are guarded to execute only when triggered by git tags, and a verification step is added before tag creation.

Changes

Workflow Security and Release Automation

Layer / File(s)	Summary
Workflow permission hardening .github/workflows/ci.yml, .github/workflows/auto-tag.yml	CI workflow introduces explicit permissions: contents: read declaration. Auto-tag workflow removes the actions: write permission, retaining only contents: write.
Release automation and tag-driven publishing .github/workflows/auto-tag.yml, .github/workflows/release.yml	Auto-tag workflow adds a release metadata verification step (node scripts/verify-release.mjs) before tagging and removes the direct workflow trigger to release.yml. Release workflow adds if: startsWith(github.ref, 'refs/tags/') guards to the github-release job and all downstream publishing jobs (npm, crates, PyPI), preventing execution on manual dispatch.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• antonio-orionus/url-sanitize#9: Both PRs refine release automation with tag-conditional publishing and integrate scripts/verify-release.mjs for metadata verification in the tagging and release pipeline.

Poem

🐰 With tighter perms and guarded gates,
Our workflows control when we create tags,
Verify first before the tag lands,
Publish only on refs we understand,
Security wrapped in GitHub's hands! 🏷️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: harden workflow release guards' accurately summarizes the main changes: restricting permissions and adding conditional guards to release workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/harden-github-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}