fix: release-trigger uses release branch + PR instead of direct push to main (#1733)

mnriem · web-flow · commit 658ab2a38c80 · 2026-03-02T13:16:13.000-06:00
* fix: use release branch + PR instead of direct push to main

Bypass branch protection rules by pushing version bump to a
chore/release-vX.Y.Z branch, tagging that commit, then opening
an auto PR to merge back into main. The release workflow still
triggers immediately from the tag push.

* fix: remove --label automated from gh pr create (label does not exist)
diff --git a/.github/workflows/RELEASE-PROCESS.md b/.github/workflows/RELEASE-PROCESS.md
@@ -60,9 +60,10 @@ The workflow will:
 - Auto-increment the patch version (e.g., `0.1.10` → `0.1.11`)
 - Update `pyproject.toml`
 - Update `CHANGELOG.md` by adding a new section for the release based on commits since the last tag
-- Commit changes
-- Create and push git tag
-- Trigger the release workflow automatically
+- Commit changes to a `chore/release-vX.Y.Z` branch
+- Create and push the git tag from that branch
+- Open a PR to merge the version bump into `main`
+- Trigger the release workflow automatically via the tag push
 
 ### Option 2: Manual Version (For major/minor bumps)
 
@@ -75,19 +76,23 @@ The workflow will:
 - Use your specified version
 - Update `pyproject.toml`
 - Update `CHANGELOG.md` by adding a new section for the release based on commits since the last tag
-- Commit changes
-- Create and push git tag
-- Trigger the release workflow automatically
+- Commit changes to a `chore/release-vX.Y.Z` branch
+- Create and push the git tag from that branch
+- Open a PR to merge the version bump into `main`
+- Trigger the release workflow automatically via the tag push
 
 ## What Happens Next
 
 Once the release trigger workflow completes:
 
-1. The git tag is pushed to GitHub
-2. The **Release Workflow** is automatically triggered
-3. Release artifacts are built for all supported agents
-4. A GitHub Release is created with all assets
-5. Release notes are generated from PR titles
+1. A `chore/release-vX.Y.Z` branch is pushed with the version bump commit
+2. The git tag is pushed, pointing to that commit
+3. The **Release Workflow** is automatically triggered by the tag push
+4. Release artifacts are built for all supported agents
+5. A GitHub Release is created with all assets
+6. A PR is opened to merge the version bump branch into `main`
+
+> **Note**: Merge the auto-opened PR after the release is published to keep `main` in sync.
 
 ## Workflow Details
 
@@ -103,10 +108,12 @@ Once the release trigger workflow completes:
 1. Checkout repository
 2. Determine version (manual or auto-increment)
 3. Check if tag already exists (prevents duplicates)
-4. Update `pyproject.toml`
-5. Update `CHANGELOG.md`
-6. Commit changes
-7. Create and push tag
+4. Create `chore/release-vX.Y.Z` branch
+5. Update `pyproject.toml`
+6. Update `CHANGELOG.md` from git commits
+7. Commit changes
+8. Push branch and tag
+9. Open PR to merge version bump into `main`
 
 ### Release Workflow
 
diff --git a/.github/workflows/release-trigger.yml b/.github/workflows/release-trigger.yml
@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -45,18 +46,18 @@ jobs:
             # Auto-increment patch version
             LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
             echo "Latest tag: $LATEST_TAG"
-            
+
             # Extract version number and increment
             VERSION=$(echo $LATEST_TAG | sed 's/v//')
             IFS='.' read -ra VERSION_PARTS <<< "$VERSION"
             MAJOR=${VERSION_PARTS[0]:-0}
             MINOR=${VERSION_PARTS[1]:-0}
             PATCH=${VERSION_PARTS[2]:-0}
-            
+
             # Increment patch version
             PATCH=$((PATCH + 1))
             NEW_VERSION="$MAJOR.$MINOR.$PATCH"
-            
+
             echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
             echo "tag=v$NEW_VERSION" >> $GITHUB_OUTPUT
             echo "Auto-incremented version: $NEW_VERSION"
@@ -69,6 +70,12 @@ jobs:
             exit 1
           fi
 
+      - name: Create release branch
+        run: |
+          BRANCH="chore/release-${{ steps.version.outputs.tag }}"
+          git checkout -b "$BRANCH"
+          echo "branch=$BRANCH" >> $GITHUB_ENV
+
       - name: Update pyproject.toml
         run: |
           sed -i "s/version = \".*\"/version = \"${{ steps.version.outputs.version }}\"/" pyproject.toml
@@ -78,22 +85,19 @@ jobs:
         run: |
           if [ -f "CHANGELOG.md" ]; then
             DATE=$(date +%Y-%m-%d)
-            
+
             # Get the previous tag to compare commits
             PREVIOUS_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
-            
+
             echo "Generating changelog from commits..."
             if [[ -n "$PREVIOUS_TAG" ]]; then
               echo "Changes since $PREVIOUS_TAG"
-              
-              # Get commits since last tag, format as bullet points
-              # Extract PR numbers and format nicely
               COMMITS=$(git log --oneline "$PREVIOUS_TAG"..HEAD --no-merges --pretty=format:"- %s" 2>/dev/null || echo "- Initial release")
             else
               echo "No previous tag found - this is the first release"
               COMMITS="- Initial release"
             fi
-            
+
             # Create new changelog entry
             {
               head -n 8 CHANGELOG.md
@@ -107,7 +111,7 @@ jobs:
               tail -n +9 CHANGELOG.md
             } > CHANGELOG.md.tmp
             mv CHANGELOG.md.tmp CHANGELOG.md
-            
+
             echo "✅ Updated CHANGELOG.md with commits since $PREVIOUS_TAG"
           else
             echo "No CHANGELOG.md found"
@@ -127,15 +131,31 @@ jobs:
             git commit -m "chore: bump version to ${{ steps.version.outputs.version }}"
             echo "Changes committed"
           fi
+
       - name: Create and push tag
         run: |
           git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
-          git push origin main
+          git push origin "${{ env.branch }}"
           git push origin "${{ steps.version.outputs.tag }}"
-          echo "Tag ${{ steps.version.outputs.tag }} created and pushed"
+          echo "Branch ${{ env.branch }} and tag ${{ steps.version.outputs.tag }} pushed"
+
+      - name: Open pull request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create \
+            --base main \
+            --head "${{ env.branch }}" \
+            --title "chore: bump version to ${{ steps.version.outputs.version }}" \
+            --body "Automated version bump to ${{ steps.version.outputs.version }}.
+
+          This PR was created by the Release Trigger workflow. The git tag \`${{ steps.version.outputs.tag }}\` has already been pushed and the release artifacts are being built.
+
+          Merge this PR to record the version bump and changelog update on \`main\`."
 
       - name: Summary
         run: |
           echo "✅ Version bumped to ${{ steps.version.outputs.version }}"
           echo "✅ Tag ${{ steps.version.outputs.tag }} created and pushed"
-          echo "🚀 Release workflow will now build artifacts automatically"
+          echo "✅ PR opened to merge version bump into main"
+          echo "🚀 Release workflow is building artifacts from the tag"
