ci(release): use fine-grained PAT for branch protection bypass

[k-chrispens]

Summary by CodeRabbit

• Chores
  • Updated release workflow authentication configuration to improve security of the automated release process.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cd021450-4dc2-4a5c-87ef-788ca3de1b08

📥 Commits

Reviewing files that changed from the base of the PR and between b1594a8 and 1da0ddf.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

The release workflow configuration was updated to use a dedicated RELEASE_TOKEN secret instead of the default GITHUB_TOKEN. The actions/checkout step now specifies this token via the token: parameter, and both python-semantic-release steps pass the custom token for authentication.

Changes

Cohort / File(s)	Summary
Release Workflow Configuration .github/workflows/release.yml	Updated authentication tokens: actions/checkout now uses token: secrets.RELEASE_TOKEN, and python-semantic-release steps now pass github_token: secrets.RELEASE_TOKEN instead of secrets.GITHUB_TOKEN.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A token swap, so clean and neat,
From GITHUB to RELEASE, complete!
The workflow hops with newfound grace,
Authentication finds its place. ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the automated release workflow to authenticate with a fine-grained Personal Access Token (PAT) so the release automation can bypass branch protection constraints that block the default GITHUB_TOKEN.

Changes:

• Use secrets.RELEASE_TOKEN for actions/checkout authentication.
• Switch python-semantic-release and publish-action to use secrets.RELEASE_TOKEN instead of secrets.GITHUB_TOKEN.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow now depends on a new RELEASE_TOKEN secret, but there’s no indication in-file of why GITHUB_TOKEN is insufficient or what permissions the PAT must have. Consider adding a short YAML comment near this input documenting the intent (branch-protection bypass) and the minimal fine-grained PAT permissions required so future maintainers can recreate/rotate it without trial-and-error.

[Copilot]

actions/checkout persists the provided token into the local git config by default. Since this is now a fine‑grained PAT, it would be safer/clearer to either (a) set persist-credentials: false if subsequent steps don't need git-remote auth, or (b) add an inline note that persisting credentials is intentional (because the workflow needs to push commits/tags) and that RELEASE_TOKEN should be minimally scoped/rotated.

Suggested change

	token: ${{ secrets.RELEASE_TOKEN }}
	token: ${{ secrets.RELEASE_TOKEN }}
	persist-credentials: false