ci: dispatch release after auto-tag

[antonio-orionus]

Summary

• restore explicit release workflow dispatch after auto-tag pushes a version tag
• grant auto-tag the narrow actions: write permission needed for workflow dispatch

Why

Tags pushed by GITHUB_TOKEN do not trigger a separate tag-push workflow run, so relying only on release.yml's push: tags trigger strands auto-created tags.

Validation

• go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 -color=false .github/workflows/*.yml
• pnpm lint
• pre-push hook

Summary by CodeRabbit

• Chores
  • Release automation now triggers the release pipeline automatically when new tags are pushed, streamlining deployments.
• Tests
  • Added a post-release verification step that runs after public publishing to confirm release artifacts and public surfaces for tag releases.

[coderabbitai]

📝 Walkthrough

Walkthrough

The auto-tag workflow now requests actions: write and, after pushing an annotated tag, invokes release.yml for that tag. The release.yml workflow gains a new tag-only post-release-public-smoke job that runs scripts/verify-published-release.mjs for the pushed tag after publish jobs complete.

Changes

Workflow updates

Layer / File(s)	Summary
Permissions and downstream workflow trigger .github/workflows/auto-tag.yml	Workflow permissions now include actions: write. After pushing an annotated tag the workflow runs gh workflow run release.yml --ref "$TAG".
Post-release public verification job .github/workflows/release.yml	Adds post-release-public-smoke job (runs only on tag refs) that checks out the repo, sets Node.js, and runs scripts/verify-published-release.mjs "${GITHUB_REF_NAME}" after publish jobs succeed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• antonio-orionus/url-sanitize#10: Directly opposes this PR by removing actions: write permission and eliminating the release.yml trigger.
• antonio-orionus/url-sanitize#9: Introduces/uses scripts/verify-published-release.mjs and related post-release smoke checks referenced by the new job.

Poem

I hopped to the repo with a tag so bright,
Gave actions the key to set workflows alight.
A tiny script checks the published prize,
The rabbit nods as CI verifies. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: dispatching the release workflow after auto-tag creates and pushes a version tag.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-auto-tag-release-dispatch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-tag.yml:
- Around line 8-10: The workflow-level write permission is too broad; remove the
top-level permissions block (the global "permissions: actions: write" /
"contents: write") and instead add a scoped permissions block under the tag job
(jobs.tag.permissions) granting only the necessary permissions (e.g., actions:
write and contents: write if the tag job needs to push tags). Update the YAML to
place permissions under the job named "tag" (jobs.tag.permissions) so other jobs
no longer inherit elevated token access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 47995084-43bd-47e6-886c-488e19e0e983

📥 Commits

Reviewing files that changed from the base of the PR and between 93ae57e and 2759116.

📒 Files selected for processing (1)

• .github/workflows/auto-tag.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify dispatch contract and permission placement impact (read-only).
set -euo pipefail

echo "== auto-tag permissions blocks =="
rg -n -C2 '^\s*permissions:|actions:\s*write|contents:\s*write' .github/workflows/auto-tag.yml

echo
echo "== release workflow supports workflow_dispatch =="
fd -a 'release\.yml$' .github/workflows | while read -r f; do
  echo "-- $f"
  rg -n -C2 '^\s*on:|workflow_dispatch' "$f" || true
done

Repository: antonio-orionus/url-sanitize

Length of output: 374

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== auto-tag.yml (relevant ranges) =="
nl -ba .github/workflows/auto-tag.yml | sed -n '1,120p'

Repository: antonio-orionus/url-sanitize

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== auto-tag.yml (lines 1-120, numbered) =="
awk '{printf "%d:%s\n", NR, $0}' .github/workflows/auto-tag.yml | sed -n '1,120p'

echo
echo "== auto-tag.yml (lines 120-end, numbered) =="
awk '{printf "%d:%s\n", NR, $0}' .github/workflows/auto-tag.yml | sed -n '121,260p'

Repository: antonio-orionus/url-sanitize

Length of output: 2180

---

Scope permissions: actions: write to the tag job (least privilege).
Workflow-level write permissions at .github/workflows/auto-tag.yml lines 8-10 apply to the whole workflow; move them under jobs.tag.permissions so future jobs don’t inherit elevated token access.

Proposed least-privilege change

-permissions:
-  actions: write
-  contents: write
-
 jobs:
   tag:
+    permissions:
+      actions: write
+      contents: write
     if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main'
     runs-on: ubuntu-latest

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	actions: write
	contents: write
	jobs:
	tag:
	permissions:
	actions: write
	contents: write
	if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main'
	runs-on: ubuntu-latest

🧰 Tools

🪛 zizmor (1.25.2)

[error] 9-9: overly broad permissions (excessive-permissions): actions: write is overly broad at the workflow level

(excessive-permissions)

---

[error] 10-10: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)

---

[warning] 9-9: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-tag.yml around lines 8 - 10, The workflow-level write
permission is too broad; remove the top-level permissions block (the global
"permissions: actions: write" / "contents: write") and instead add a scoped
permissions block under the tag job (jobs.tag.permissions) granting only the
necessary permissions (e.g., actions: write and contents: write if the tag job
needs to push tags). Update the YAML to place permissions under the job named
"tag" (jobs.tag.permissions) so other jobs no longer inherit elevated token
access.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 254-257: The post-release-public-smoke job unconditionally runs
node scripts/verify-published-release.mjs which validates Homebrew/Scoop even
when publish-package-managers skipped; update the workflow so either (A) make
post-release-public-smoke conditional on the package-manager publish step by
adding the same env check (if: env.PACKAGING_REPO_TOKEN != '') or by adding a
dependency on publish-package-managers success, or (B) change
publish-package-managers to explicitly fail when PACKAGING_REPO_TOKEN is
required but unset (instead of silently echoing “skipping”), or (C) alter
scripts/verify-published-release.mjs to detect PACKAGING_REPO_TOKEN and skip
Homebrew/Scoop validation when it’s not provided; refer to the job names
post-release-public-smoke and publish-package-managers and the script node
scripts/verify-published-release.mjs and env var PACKAGING_REPO_TOKEN when
implementing the fix.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 700124c1-bd1f-4231-9497-3999ebb1ce1e

📥 Commits

Reviewing files that changed from the base of the PR and between 2759116 and 7d4e899.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if publish-package-managers can succeed without publishing

rg -n -A3 -B3 'PACKAGING_REPO_TOKEN' .github/workflows/release.yml

Repository: antonio-orionus/url-sanitize

Length of output: 2009

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find the post-release-public-smoke job and show its relevant steps
rg -n -A120 'post-release-public-smoke:' .github/workflows/release.yml | head -n 160

# Locate the smoke script invocation (if any) within that job
rg -n 'post-release-public-smoke:|smoke|package-managers|homebrew|scoop|RUNNER_TEMP/package-managers|GITHUB_REF_NAME' .github/workflows/release.yml

Repository: antonio-orionus/url-sanitize

Length of output: 6825

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the verify script (or at least the sections related to homebrew/scoop and surfaced checks)
ls -la scripts/verify-published-release.mjs || true
wc -l scripts/verify-published-release.mjs || true

rg -n 'homebrew|scoop|tap|bucket|package[- ]managers|brew|Verify public release surfaces' scripts/verify-published-release.mjs || true

# Print the most relevant blocks around homebrew/scoop checks (keep output bounded)
rg -n -A80 -B20 'homebrew|scoop|tap|bucket|package[- ]managers|brew|scoop' scripts/verify-published-release.mjs | head -n 200

Repository: antonio-orionus/url-sanitize

Length of output: 5627

---

Gate the smoke verification on package-manager publishing (or skip those checks when PACKAGING_REPO_TOKEN is unset)

• publish-package-managers succeeds without publishing when PACKAGING_REPO_TOKEN is empty (it only echoes “skipping” and all Homebrew/Scoop publishing steps are guarded by if: env.PACKAGING_REPO_TOKEN != '').
• post-release-public-smoke always runs node scripts/verify-published-release.mjs "${GITHUB_REF_NAME}", and that script unconditionally validates the Homebrew formula and Scoop manifest for the release version.
• Result: when package-manager publishing is skipped, the workflow fails at the smoke stage with Homebrew/Scoop mismatch errors, even though the real root cause is missing token configuration.

Make the smoke job (or the script) conditional on whether package-manager assets were published, or explicitly fail publish-package-managers when PACKAGING_REPO_TOKEN is required but not configured.

🧰 Tools

🪛 zizmor (1.25.2)

[info] 254-254: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 254 - 257, The
post-release-public-smoke job unconditionally runs node
scripts/verify-published-release.mjs which validates Homebrew/Scoop even when
publish-package-managers skipped; update the workflow so either (A) make
post-release-public-smoke conditional on the package-manager publish step by
adding the same env check (if: env.PACKAGING_REPO_TOKEN != '') or by adding a
dependency on publish-package-managers success, or (B) change
publish-package-managers to explicitly fail when PACKAGING_REPO_TOKEN is
required but unset (instead of silently echoing “skipping”), or (C) alter
scripts/verify-published-release.mjs to detect PACKAGING_REPO_TOKEN and skip
Homebrew/Scoop validation when it’s not provided; refer to the job names
post-release-public-smoke and publish-package-managers and the script node
scripts/verify-published-release.mjs and env var PACKAGING_REPO_TOKEN when
implementing the fix.