feat(ci): auto-create github releases and add workflow permissions (#3009)

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   test-build:
     name: Test and Build
@@ -278,3 +281,30 @@ jobs:
     if: needs.check-docs-changes.outputs.docs_changed == 'true'
     uses: ./.github/workflows/docs-embeddings.yml
     secrets: inherit
+
+  # Create GitHub Release (only for version commits on main, after all builds complete)
+  create-release:
+    name: Create GitHub Release
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    needs: [create-ghcr-manifests, detect-version]
+    if: needs.detect-version.outputs.is_release == 'true'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Create release
+        env:
+          GH_PAT: ${{ secrets.GITHUB_TOKEN }}
+        run: bun run scripts/create-single-release.ts ${{ needs.detect-version.outputs.version }}

.github/workflows/docs-embeddings.yml

@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch: # Allow manual triggering
 
+permissions:
+  contents: read
+
 jobs:
   process-docs-embeddings:
     name: Process Documentation Embeddings

.github/workflows/migrations.yml

@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   migrate:
     name: Apply Database Migrations

.github/workflows/publish-cli.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/cli/**'
 
+permissions:
+  contents: read
+
 jobs:
   publish-npm:
     runs-on: blacksmith-4vcpu-ubuntu-2404

.github/workflows/publish-python-sdk.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/python-sdk/**'
 
+permissions:
+  contents: write
+
 jobs:
   publish-pypi:
     runs-on: blacksmith-4vcpu-ubuntu-2404

.github/workflows/publish-ts-sdk.yml

@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/ts-sdk/**'
 
+permissions:
+  contents: write
+
 jobs:
   publish-npm:
     runs-on: blacksmith-4vcpu-ubuntu-2404

.github/workflows/test-build.yml

@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-build:
     name: Test and Build

scripts/create-single-release.ts

@@ -197,7 +197,7 @@ async function getCommitsBetweenVersions(
     const commitEntries = gitLog.split('\n').filter((line) => line.trim())
 
     const nonVersionCommits = commitEntries.filter((line) => {
-      const [hash, message] = line.split('|')
+      const [, message] = line.split('|')
       const isVersionCommit = message.match(/^v\d+\.\d+/)
       if (isVersionCommit) {
         console.log(`⏭️ Skipping version commit: ${message.substring(0, 50)}...`)
@@ -369,6 +369,25 @@ async function main() {
       console.log(`ℹ️ No previous version found (this might be the first release)`)
     }
 
+    try {
+      const existingRelease = await octokit.rest.repos.getReleaseByTag({
+        owner: REPO_OWNER,
+        repo: REPO_NAME,
+        tag: targetVersion,
+      })
+      if (existingRelease.data) {
+        console.log(`ℹ️ Release ${targetVersion} already exists, skipping creation`)
+        console.log(
+          `🔗 View release: https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/tag/${targetVersion}`
+        )
+        return
+      }
+    } catch (error: any) {
+      if (error.status !== 404) {
+        throw error
+      }
+    }
+
     const releaseBody = await generateReleaseBody(versionCommit, previousCommit || undefined)
 
     console.log(`🚀 Creating GitHub release for ${targetVersion}...`)