fix: autorelease secret inheritance (FXC-3911)

[daquinteroflex]

Greptile Overview

Greptile Summary

Added secrets: inherit directive to the run-client-tests job call in the release workflow. This enables the reusable test workflow to access required secrets (GITHUB_TOKEN for git operations and GH_TIDY3D_COVERAGE_GIST for coverage reporting) that were previously unavailable.

Changes:

• Added secrets: inherit with zizmor ignore directive at line 403
• Follows same pattern as other reusable workflow calls (create-tag at line 383, sync-readthedocs at line 470)
• Resolves FXC-3911 where tests were failing due to missing secret access

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is a straightforward one-line addition that follows established patterns in the same file. The secrets: inherit directive is already used in two other reusable workflow calls (create-tag and sync-readthedocs), and this change simply applies the same pattern to run-client-tests. The zizmor ignore directive indicates proper security review acknowledgment. No logic changes, no new functionality - just enabling required secret access for an existing workflow
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
.github/workflows/tidy3d-python-client-release.yml	5/5	Added secrets: inherit to run-client-tests job call with zizmor ignore directive - enables required secret propagation to reusable workflow

Sequence Diagram

sequenceDiagram
    participant Trigger as Release Workflow
    participant Scope as determine-workflow-scope
    participant Tag as create-tag
    participant Tests as run-client-tests
    participant Compile as compile-tests-results
    participant Deploy as Deploy Jobs

    Trigger->>Scope: Start workflow with release_tag
    Scope->>Scope: Determine test/deploy scope
    Scope-->>Tag: run_tag=true
    Scope-->>Tests: run_client_tests=true
    
    Note over Tag: Uses secrets: inherit<br/>(GH_PAT)
    Tag->>Tag: Create and push git tag
    
    Note over Tests: NEW: secrets: inherit<br/>(GITHUB_TOKEN, GH_TIDY3D_COVERAGE_GIST)
    Tests->>Tests: Run local/remote/CLI/submodule tests
    Tests->>Tests: Access GITHUB_TOKEN for git operations
    Tests->>Tests: Access GH_TIDY3D_COVERAGE_GIST for coverage
    Tests-->>Compile: workflow_success output
    
    Compile->>Compile: Validate all test results
    Compile-->>Deploy: proceed_deploy=true
    
    Note over Deploy: Continue with deployment<br/>if tests pass

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

Diff Coverage

Diff: origin/develop...HEAD, staged and unstaged changes

No lines with coverage information in this diff.