ci: use pull requests for releases to satisfy branch protection

[Copilot]

Summary

• Release workflow was failing due to branch protection rules requiring 5 status checks before pushing to main
• Modified workflow to create release PRs instead of direct pushes

Details

Semantic-release configuration changes:

• Added release-* branch pattern to allowed branches for semantic-release execution
• Set push: false in @semantic-release/git to prevent direct main pushes
• Added @semantic-release/exec dependency (v7.1.0)

Workflow changes (.github/workflows/release.yaml):

• Creates timestamped release branch (e.g., release-1737915120)
• Runs semantic-release on branch to generate CHANGELOG.md and package.json updates
• Pushes branch and creates PR automatically via gh pr create
• Added pull-requests: write permission

Cleanup:

• Removed issues/1.md file

Flow:

workflow_dispatch → create release branch → run semantic-release → push branch → create PR → merge after checks → release

The PR will go through all required status checks before merge. GitHub release creation still happens automatically via @semantic-release/github after merge.

Test plan

• Code compiles with go build ./...
• Code formatted with npm run format
• YAML syntax validated
• CodeQL security scan passed (0 alerts)
• Manual testing (requires triggering workflow in production)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>use semantic-release-pr please</issue_title>
<issue_description>## Problem

The release workflow is failing when semantic-release tries to push directly to the main branch. The job fails with this error:

remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: - 5 of 5 required status checks are expected.
error: failed to push some refs to 'https://github.com/tigrisdata/storage-go.git'

Failed job: https://github.com/tigrisdata/storage-go/actions/runs/21222562085/job/61077352761

The repository has branch protection rules requiring 5 status checks to pass before pushing to main. The current workflow uses @semantic-release/git which attempts to push release commits (CHANGELOG.md, package.json updates) directly to main, bypassing these rules.

Solution

Change the release flow to use pull requests instead of direct pushes, ensuring all branch protection rules are satisfied.

Recommended Approach: Use semantic-release-pr

Use semantic-release-pr to create a pull request with release changes instead of pushing directly:

1. Update semantic-release configuration (.releaserc or equivalent):

{
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    "@semantic-release/changelog",
    [
      "semantic-release-pr",
      {
        "branch": "release",
        "baseRef": "main"
      }
    ],
    "@semantic-release/github"
  ]
}

2. Remove or disable @semantic-release/git since it pushes directly to main.

3. Update the workflow to:

   • Create a release branch
   • Open a PR with CHANGELOG and version updates
   • Merge the PR after status checks pass
   • Tag the release after merge

Alternative: Disable git push

If you don't need automated commits, disable push in @semantic-release/git:

{
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    "@semantic-release/changelog",
    [
      "@semantic-release/git",
      {
        "push": false
      }
    ],
    "@semantic-release/github"
  ]
}

References

• Branch protection rules: https://github.com/tigrisdata/storage-go/rules?ref=refs%2Fheads%2Fmain
• semantic-release-pr: https://github.com/9sako6/semantic-release-pr</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes use semantic-release-pr please #17

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Xe]

@copilot rebase and delete issues/1.md

[Copilot]

@copilot rebase and delete issues/1.md

Done. Deleted issues/1.md in commit 8d27029.

Note: I cannot perform git rebase operations directly, but the file has been removed as requested.

[Copilot]

Pull request overview

Updates the release automation to avoid direct pushes to main (blocked by branch protection) by switching to a “release branch + PR” flow driven by GitHub Actions and semantic-release.

Changes:

• Adjusts semantic-release configuration to run on release-* branches and disables @semantic-release/git pushing.
• Updates the release workflow to create a timestamped release branch, run semantic-release, push the branch, and open a PR.
• Adds @semantic-release/exec to devDependencies and updates lockfile.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/release.yaml	Creates/pushes a release branch and opens a PR instead of pushing to main.
package.json	Updates semantic-release branch config and disables git plugin pushing; adds exec dependency.
package-lock.json	Lockfile update for new dependency and version metadata changes.
issues/1.md	Minor formatting fix in the issue documentation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@semantic-release/exec is added as a dependency but isn’t configured/used in the semantic-release plugin chain. Either add it to the release.plugins configuration (if needed) or remove the dependency to avoid extra maintenance and supply-chain surface area.

Suggested change

"@semantic-release/exec": "^7.1.0",

[Copilot]

The pinned commit SHA for actions/checkout differs from the v5.0.0 SHA used elsewhere in the repo (e.g., .github/workflows/go.yml). This looks like a typo and may either break the workflow (unknown ref) or unintentionally change the action version; update it to the same verified v5.0.0 digest used in other workflows.

Suggested change

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcb5dd907a8 # v5.0.0
	- uses: actions/checkout@cd9c8d25c5e1b2e1e82d79fc8895cf6c8f5b1c6d # v5.0.0

[Copilot]

This workflow requires a custom secret (WRITE_GH_TOKEN) for checkout and for GITHUB_TOKEN, but the repo doesn’t reference this secret anywhere else. If this secret isn’t configured in all environments, the release workflow will fail; prefer using the built-in GITHUB_TOKEN with the needed permissions, or add explicit documentation/validation for the required secret.

[Xe]

@copilot apply changes based on this feedback

[Copilot]

Allowing semantic-release to run on release-* means it will perform an actual release from that PR branch (including tagging and running @semantic-release/github), which undermines the goal of only releasing after the PR is merged and checks pass. Consider limiting releases to main and using a PR-oriented flow (e.g., dry-run + prepare-only changes, or semantic-release-pr) for release-* branches.

[github-actions]

🎉 This PR is included in version 0.3.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀