fix: invoke release workflow directly from tag-release via workflow_call

[mmols]

Summary

The release workflow never ran after merging a release/* PR because tag-release.yaml pushes the tag using GITHUB_TOKEN, and GitHub silently drops events triggered by GITHUB_TOKEN to prevent infinite workflow loops.

Changes

• tag-release.yaml — now calls release.yaml directly via workflow_call after pushing the tag, instead of relying on the push event to trigger it
• release.yaml — accepts a workflow_call trigger with a version input, falling back to github.ref_name for manual tag pushes

How it works

Path	Flow
Merged release/* PR	tag-release → creates tag → calls release.yaml via workflow_call
Manual tag push (e.g. RC)	release.yaml triggers directly via on: push: tags

No double execution on the PR path — the GITHUB_TOKEN tag push is suppressed, so only the workflow_call invocation runs.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow is refactored to support being invoked as a reusable workflow with an explicit version input. The tag-release workflow now exports its computed version and triggers a downstream release job, establishing a workflow dependency chain for release orchestration.

Changes

Cohort / File(s)	Summary
Release Workflow Enhancement .github/workflows/release.yaml	Added workflow_call trigger with required version input. Modified version resolution logic to use inputs.version when provided, otherwise falls back to github.ref_name. Downstream outputs remain unchanged (version, chart_version, release_version).
Tag-Release Workflow Integration .github/workflows/tag-release.yaml	Added output export of computed version from the tag-release job. Introduced new downstream release job that depends on tag-release, calls the reusable release workflow, and passes the version via workflow inputs with secret inheritance.

Poem

🐰 A rabbit hops through workflows so fine,
Version strings dance in perfect line,
From tag to release, the chain takes flight,
Reusable workflows, what a delight!
Each hop upstream, each bound downward too,
The carrot of clarity shines bright and true. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: enabling the release workflow to be invoked directly from tag-release via workflow_call, which solves the core problem addressed in this PR.
Description check	✅ Passed	The description clearly explains the problem (GITHUB_TOKEN preventing workflow triggers), the changes made to both files, and how the solution works for different triggering paths.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/PLAT-447/release-workflow-trigger

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/tag-release.yaml:
- Around line 47-52: The workflow currently uses secrets: inherit in the release
job, granting the called workflow every repository secret; replace this with an
explicit secrets mapping to enforce least privilege: review the inputs expected
by the called workflow (the reusable workflow referenced by uses:
./.github/workflows/release.yaml and the input version: ${{
needs.tag-release.outputs.version }}) and list only the specific secrets it
needs (e.g., GITHUB_TOKEN, NPM_TOKEN, SIGNING_KEY, etc.) by replacing secrets:
inherit with secrets: { SECRET_NAME: ${{ secrets.SECRET_NAME }}, ... } so that
only those named secrets are passed to the release job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aafbd536-61da-49ba-89f0-6ff131bba940

📥 Commits

Reviewing files that changed from the base of the PR and between 7a11168 and 8dbad26.

📒 Files selected for processing (2)

• .github/workflows/release.yaml
• .github/workflows/tag-release.yaml

[rshoemaker]

Looks good