feat(ci): auto-create github releases and add workflow permissions

[waleedlatif1]

Summary

• Automate GitHub Release creation when merging version commits to main
• Runs existing release script after Docker builds complete
• No more manual bun release step needed
• Add explicit permissions blocks to all workflows (security best practice)

Type of Change

• New feature
• Security improvement

Testing

Tested by reviewing workflow logic

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
docs	Ready	Preview, Comment	Jan 26, 2026 9:23pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR automates GitHub release creation when version commits (e.g., v0.5.35: feature name) are merged to main, and adds explicit permissions blocks to all workflows for better security.

Key changes:

• New create-release job in CI workflow runs after Docker builds complete and automatically creates GitHub releases
• Release script now checks for existing releases before creating new ones, making the workflow idempotent
• Explicit permissions blocks added to all 8 workflow files (security best practice per GitHub's recommendations)
• The automation eliminates the manual bun release step previously required after version commits

Implementation details:

• The release job only runs when detect-version identifies a version commit pattern on main branch
• Dependencies ensure releases are only created after all build jobs (AMD64, ARM64, manifests) complete successfully
• Script gracefully handles duplicate releases by checking getReleaseByTag before creation
• Permissions follow least-privilege: most workflows get contents: read, only those creating releases/tags get contents: write

Confidence Score: 4/5

• This PR is safe to merge with minimal risk after addressing the duplicate release handling note
• The changes are well-implemented with proper idempotency handling and security improvements. The duplicate release detection in scripts/create-single-release.ts:372-389 properly addresses the previous review comment. Permissions are correctly scoped. Minor observation: the workflow doesn't explicitly handle the case where tag creation might fail independently, but this is an edge case and the current implementation is solid.
• No files require special attention - all changes are straightforward and follow best practices

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Added auto-release job with duplicate detection and workflow-level read permissions
scripts/create-single-release.ts	Added duplicate release detection to make script idempotent, fixed unused variable warning

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Git as Git (main branch)
    participant CI as CI Workflow
    participant Build as Build Jobs
    participant Release as create-release Job
    participant GitHub as GitHub API
    
    Dev->>Git: Push version commit (e.g., "v0.5.35: new feature")
    Git->>CI: Trigger CI workflow
    CI->>CI: detect-version job extracts version from commit
    CI->>Build: test-build runs tests
    Build->>Build: build-amd64 creates AMD64 images
    Build->>Build: build-ghcr-arm64 creates ARM64 images
    Build->>Build: create-ghcr-manifests creates multi-arch manifests
    Build->>Release: Trigger after manifests complete
    Release->>Release: Checkout code with full history
    Release->>Release: Install dependencies (bun install)
    Release->>GitHub: Check if release already exists (getReleaseByTag)
    alt Release already exists
        GitHub->>Release: 200 OK (release exists)
        Release->>Release: Skip creation (idempotent)
    else Release doesn't exist
        GitHub->>Release: 404 Not Found
        Release->>Release: Generate release notes from commits
        Release->>GitHub: Create release (createRelease)
        GitHub->>Release: Release created successfully
    end

Loading

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

.github/workflows/ci.yml
If a release already exists for this version, the GitHub API will return a 422 error and fail the workflow. Check if release exists first or handle the error gracefully

    await octokit.rest.repos.createRelease({
      owner: REPO_OWNER,
      repo: REPO_NAME,
      tag_name: targetVersion,
      name: targetVersion,
      body: releaseBody,
      draft: false,
      prerelease: false,
      target_commitish: versionCommit.hash,
    }).catch((error) => {
      if (error.status === 422) {
        console.log(`ℹ️ Release ${targetVersion} already exists, skipping creation`)
        return
      }
      throw error
    })

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 376:385

Comment:
If a release already exists for this version, the GitHub API will return a 422 error and fail the workflow. Check if release exists first or handle the error gracefully

```suggestion
    await octokit.rest.repos.createRelease({
      owner: REPO_OWNER,
      repo: REPO_NAME,
      tag_name: targetVersion,
      name: targetVersion,
      body: releaseBody,
      draft: false,
      prerelease: false,
      target_commitish: versionCommit.hash,
    }).catch((error) => {
      if (error.status === 422) {
        console.log(`ℹ️ Release ${targetVersion} already exists, skipping creation`)
        return
      }
      throw error
    })
```

How can I resolve this? If you propose a fix, please make it concise.

[waleedlatif1]

@greptile

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}