fix: CI workflow permissions and E2E secret cleanup

[mmols]

Summary

• Grant contents: write and packages: write to the release job in tag-release.yaml.
  When calling release.yaml via workflow_call, the called workflow's permissions
  are capped by the caller. The release job had no explicit permissions, so it
  defaulted to the pull_request trigger's read-only scope, failing validation even
  when the job was skipped by its if condition.

• Wait for CNPG-managed secrets to be garbage collected between E2E tests.
  TestNodesAddNodeZeroDowntime was timing out on every open PR because
  uninstallChart() only waited for clusters, pods, jobs, and PVCs — not the
  operator-generated secrets (<cluster>-ca, <cluster>-server). These are owned
  by the Cluster resource and GC'd asynchronously. When the next test reused the
  same cluster names, the new CA didn't match the stale server cert, causing a
  permanent x509: ECDSA verification failure between the operator and instance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b851e38b-c8cf-43fc-b41a-b9d724834816

📥 Commits

Reviewing files that changed from the base of the PR and between 047da06 and ddf2378.

📒 Files selected for processing (2)

• .github/workflows/tag-release.yaml
• test/integration/suite_test.go

---

📝 Walkthrough

Walkthrough

Two files were modified: the GitHub Actions workflow now explicitly grants package write permissions to the release job, and the integration test cleanup function adds a blocking wait for CNPG-managed Kubernetes secrets to be completely deleted after Helm uninstall.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Permissions .github/workflows/tag-release.yaml	Release job now explicitly declares GitHub token permissions with contents: write and packages: write.
Test Cleanup Enhancement test/integration/suite_test.go	Integration test teardown now waits for deletion of CNPG-labeled Kubernetes secrets (cnpg.io/cluster) in addition to previously monitored resources, with fatal error handling if deletion times out.

Poem

🐰 Hops with glee through workflows clean,
Permissions granted, clearly seen,
Tests await their secrets gone,
Before the next test carries on! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and accurately summarizes both main changes: CI workflow permission fixes and E2E secret cleanup improvements.
Description check	✅ Passed	The description clearly relates to the changeset, providing detailed rationale for both CI workflow permission changes and E2E test secret cleanup enhancements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/PLAT-447/release-workflow-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[rshoemaker]

looks good.