From 245cc6f810d2089251a7657a17498c9054faa15d Mon Sep 17 00:00:00 2001
From: James Stocker <james.stocker@intenthq.co.uk>
Date: Fri, 22 May 2026 10:03:29 +0200
Subject: [PATCH] Create GitHub releases when tagging

The tag workflow currently creates and pushes git tags but never creates
corresponding GitHub Releases. This makes the repo incompatible with
Renovate (and similar tools), which uses GitHub Releases for action
version lookups. See #182.

Changes:

- Add `permissions: contents: write` so GITHUB_TOKEN can create
  releases.
- Use `gh release create --target <sha>` to create the release; this
  also creates the tag if missing, so we no longer need a separate
  `git tag` + `git push --tags` step.
- Gate the loop on release existence (`gh release view`) rather than
  tag existence. This makes the workflow idempotent: a partial failure
  on a previous run is reconciled, and pre-existing tags that lack a
  release are backfilled on the next run.
- Walk commits in chronological order (`--reverse`) so each release's
  auto-generated notes diff against the previous release.
- Use full commit SHAs (`%H`) for `--target` correctness.
---
 .github/workflows/tag.yml | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index 55902328..f783deaf 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -9,6 +9,9 @@ on:
   # To allow for manual testing.
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   tag:
     runs-on:
@@ -21,22 +24,32 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - name: Tag new versions
+      - name: Tag and release new versions
         shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          set -e
+          set -euo pipefail
 
-          commits=$(git log --pretty=format:"%h" ./VERSION)
+          # Walk commits that touched VERSION in chronological order so each
+          # release's auto-generated notes diff against the previous release.
+          commits=$(git log --reverse --pretty=format:"%H" ./VERSION)
           for commit in $commits; do
-              version=$(git show $commit:./VERSION)
-              if [ -n "$(git tag -l "v${version}")" ]; then
+              version=$(git show "$commit:./VERSION")
+              tag="v${version}"
+
+              # `gh release create` creates the tag if it doesn't exist, so we
+              # gate purely on release existence. This makes the workflow
+              # idempotent and self-healing: a partial failure (tag pushed but
+              # release creation failed) is reconciled on the next run, and
+              # pre-existing tags without a release are backfilled.
+              if gh release view "$tag" >/dev/null 2>&1; then
                   continue
               fi
 
-              echo "Tagging $commit as v${version}"
-              git tag "v${version}" $commit
+              echo "Creating release $tag at $commit"
+              gh release create "$tag" \
+                  --title "$tag" \
+                  --generate-notes \
+                  --target "$commit"
           done
-
-      - name: Push new tags
-        shell: bash
-        run: git push --tags