Fix workflow triggers: use personal access token for tag pushes

[mkistler]

Problem

The publish/release workflow did not trigger as expected when the auto-tag workflow added a tag on main.

Diagnosis

• The .github/workflows/auto-tag.yaml workflow pushes a tag using GITHUB_TOKEN after a version change.
• The .github/workflows/release.yaml workflow is configured to trigger on push to tags matching v*.
• However, GitHub Actions does NOT trigger a workflow when a tag is pushed using GITHUB_TOKEN. This is documented by GitHub and is a security feature to prevent recursive workflow runs:

  When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
  https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow

• As a result, although the tag is pushed successfully, the release.yaml workflow does not run.

Solution

• Use a Personal Access Token (PAT) or GitHub App token instead of GITHUB_TOKEN in the auto-tag.yaml workflow to push the tag.
• Steps:
  1. Create a PAT with repo permissions and add it as a secret (e.g., PAT_TOKEN) in repository settings.
  2. Update actions/checkout and tag/push steps in auto-tag.yaml:

     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
         token: ${{ secrets.PAT_TOKEN }}  # Use PAT for push actions

     and,

     git push origin "$TAG"
     # use PAT authentication

References

• GitHub Documentation: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
• Current workflow files:
  • auto-tag.yaml
  • release.yaml

Acceptance Criteria

• Tag pushes by auto-tag workflow should trigger downstream workflows that reference the tag push event.
• Document and test the change to confirm the release workflow now triggers consistently.