fix: add major version tag update to release workflow (#465)

* fix: add major version tag update to release workflow

## What

Added an `update_major_tag` job to the release workflow that force-updates
the floating major version tag (e.g., `v9`) to point to the latest release
tag after each release is published.

## Why

Releases created by `github-actions[bot]` using `GITHUB_TOKEN` do not
trigger downstream workflows due to GitHub's anti-cascade protection. The
standalone `major-version-updater.yml` workflow, which listens for
`release: published` events, was never firing for v9.x releases. Moving
the logic into the release workflow itself ensures the major tag update
runs as part of the same pipeline.

## Notes

- The standalone `major-version-updater.yml` is intentionally kept as a manual `workflow_dispatch` fallback
- The job guards on `needs.release.outputs.full-tag != ''` to skip when no release is produced
- Unlike the standalone workflow, this does NOT set `persist-credentials: false` on checkout — credentials are needed for `git push`

Co-Authored-By: Kenyatta <153775386+Kenyatta-forbes@users.noreply.github.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>

* fix: set persist-credentials to true for major tag update workflows

## What

Changed `persist-credentials` from `false` to `true` in the standalone
`major-version-updater.yml` and explicitly set it to `true` in the new
`update_major_tag` job in `release.yml`.

## Why

The standalone workflow fails on `git push` with "could not read Username"
because `persist-credentials: false` strips the git credentials after
checkout. Both workflows need credentials to force-push the major version tag.

## Notes

- The standalone workflow has been broken since the `persist-credentials: false` change was introduced, which is why all manual dispatch runs in April 2025 failed before succeeding (credentials were likely configured differently in the successful runs)
- `persist-credentials: true` is the default for `actions/checkout`, but being explicit here documents the intentional choice since `git push` depends on it

Co-Authored-By: Kenyatta <153775386+Kenyatta-forbes@users.noreply.github.com>
Signed-off-by: jmeridth <jmeridth@gmail.com>

* fix: simplify major tagging with existing output

Signed-off-by: jmeridth <jmeridth@gmail.com>

---------

Signed-off-by: jmeridth <jmeridth@gmail.com>
Co-authored-by: Kenyatta <153775386+Kenyatta-forbes@users.noreply.github.com>

Author: jmeridth

.github/workflows/major-version-updater.yml

@@ -28,7 +28,7 @@ jobs:
         with:
           fetch-tags: true
           ref: ${{ github.event.inputs.TAG_NAME || github.ref }}
-          persist-credentials: false
+          persist-credentials: true
       - name: version
         id: version
         run: |

.github/workflows/release.yml

@@ -35,6 +35,33 @@ jobs:
       image-registry: ghcr.io
       image-registry-username: ${{ github.actor }}
       image-registry-password: ${{ secrets.GITHUB_TOKEN }}
+  update_major_tag:
+    needs: release
+    if: ${{ needs.release.outputs.full-tag != '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-tags: true
+          ref: ${{ needs.release.outputs.full-tag }}
+          persist-credentials: true
+
+      - name: Force update major tag
+        run: |
+          git tag -f "${SHORT}" "${FULL}"
+          git push -f origin "${SHORT}"
+        env:
+          SHORT: ${{ needs.release.outputs.short-tag }}
+          FULL: ${{ needs.release.outputs.full-tag  }}
+
   release_discussion:
     needs: release
     permissions: