fix: handle branch protection in release workflow

- Revert auto-bump for workflow_run trigger (can't push to protected branches)
- Add clear notice messages when release is skipped due to existing tag
- Require RELEASE_TOKEN secret (PAT with bypass permissions) for auto-bump
- Provide helpful error messages when RELEASE_TOKEN is not configured

To trigger a release:
1. Bump version in Cargo.toml before merging to main (recommended)
2. OR set up RELEASE_TOKEN secret and use workflow_dispatch with bump_type
3. OR push a tag directly (e.g., git tag v2.2.0 && git push origin v2.2.0)

Author: rishitank

.github/workflows/release.yml

@@ -108,14 +108,10 @@ jobs:
 
             # Check if this version tag already exists
             if git tag -l "v$CURRENT_VERSION" | grep -q .; then
-              echo "Tag v$CURRENT_VERSION already exists, auto-bumping patch version"
-              # Auto-bump patch version
-              IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
-              NEW_VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
-              echo "Auto-bumped to: $NEW_VERSION"
-              echo "should_release=true" >> $GITHUB_OUTPUT
-              echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
-              echo "needs_bump=true" >> $GITHUB_OUTPUT
+              echo "::notice::Tag v$CURRENT_VERSION already exists. To create a new release, either:"
+              echo "::notice::  1. Bump the version in Cargo.toml before merging to main"
+              echo "::notice::  2. Use workflow_dispatch with bump_type to auto-bump and release"
+              echo "should_release=false" >> $GITHUB_OUTPUT
             else
               echo "New version v$CURRENT_VERSION detected, will release"
               echo "should_release=true" >> $GITHUB_OUTPUT
@@ -129,14 +125,25 @@ jobs:
           echo "should_release=false" >> $GITHUB_OUTPUT
 
   # Bump version in Cargo.toml if needed
+  # Note: This job requires a PAT with bypass permissions to push to protected branches
+  # Set the RELEASE_TOKEN secret to enable auto-bumping, otherwise bump version manually before release
   bump-version:
     needs: check
     if: needs.check.outputs.should_release == 'true' && needs.check.outputs.needs_bump == 'true'
     runs-on: ubuntu-latest
     steps:
+      - name: Check for release token
+        id: check-token
+        run: |
+          if [ -z "${{ secrets.RELEASE_TOKEN }}" ]; then
+            echo "::error::Auto-bump requires RELEASE_TOKEN secret (a PAT with repo scope and bypass permissions)"
+            echo "::error::Either set up RELEASE_TOKEN or bump the version in Cargo.toml before merging to main"
+            exit 1
+          fi
+
       - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_TOKEN }}
 
       - name: Update Cargo.toml version
         run: |
@@ -154,7 +161,7 @@ jobs:
           git commit -m "chore: bump version to $VERSION [skip ci]"
           git push
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
 
   build:
     needs: [check, bump-version]