[WIP] Fix workflow to support branch protection rules

[Copilot]

• Analyze the repository structure and understand the current release workflow
• Identify the issue: workflow tries to push directly to protected main branch
• Modify the release workflow to create a branch instead of committing to main
• Add step to create a pull request for the version bump
• Update permissions to include pull-requests: write
• Add logic to create GitHub release when version bump PR is merged
• Validate YAML syntax
• Address code review feedback
  • Simplified PR body construction
  • Use github.ref instead of git rev-parse for branch checking
• Run final code review on the changes
• Run CodeQL security check

Original prompt

The release job failed because the workflow tried to push a commit directly to the protected main branch, which is not allowed due to these branch protection rules:

• Commits must have verified signatures.
• Changes must be made through a pull request.

To fix this, update your workflow so that automated version bumps and changes:

1. Create a new branch for the changes (instead of committing to main).
2. Open a pull request targeting the main branch.
3. Use a GPG key or GitHub App to sign commits if your protections require it.

Here’s how you could modify your workflow’s release step in .github/workflows/release.yaml:

- name: Configure git
  run: |
    git config user.name "github-actions[bot]"
    git config user.email "github-actions[bot]@users.noreply.github.com"
    # If you need to sign commits, set GPG signing config here.

- name: Create a release branch
  run: |
    BRANCH="release/version-bump-$(date +%s)"
    git checkout -b "$BRANCH"
    # Your version bump script here, e.g., update jsf/BUILD

- name: Commit and push changes
  run: |
    git add jsf/BUILD
    git commit -m "chore: bump version to $NEW_VERSION [skip ci]"
    git push origin "$BRANCH"

- name: Create pull request
  uses: peter-evans/create-pull-request@v5
  with:
    branch: ${{ env.BRANCH }}
    title: "chore: bump version to ${{ env.NEW_VERSION }}"
    body: "Automated version bump."
    base: main

With this process, your changes will comply with the protected branch rules and allow the automation to continue.

If "verified signatures" is required, set up GPG signing in the GitHub Actions workflow. Let me know if you need code for GPG signing or more details!

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.