Release workflow: don't commit directly to main

.github/workflows/release-branch.yaml

@@ -79,6 +79,7 @@ jobs:
 
     permissions:
       contents: write
+      pull-requests: write
 
     needs: [tag, compute-version, localazy]
     steps:
@@ -102,3 +103,14 @@ jobs:
               sha,
             });
             console.log(`Created branch ${branch} from ${sha}`);
+
+      - name: Open a pull request to merge the branch into main
+        env:
+          VERSION: ${{ needs.compute-version.outputs.short }}
+        run: |
+          gh pr create \
+            --title "Release branch $VERSION" \
+            --body "This pull request was automatically created by the release workflow. It merges the release branch back to main." \
+            --base main \
+            --head "release/v$VERSION" \
+            --label "T-Task"

.github/workflows/release-bump.yaml

@@ -54,17 +54,38 @@ jobs:
     secrets:
       BOT_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
 
-  merge-back:
-    name: Open a pull request to merge the release branch back to main
+  update-branch:
+    name: Update the release branch
     runs-on: ubuntu-22.04
 
     permissions:
       pull-requests: write
 
     needs: [tag, compute-version]
-    if: github.event.inputs.merge-back
     steps:
+      - name: Update the release branch
+        uses: actions/github-script@v7.0.1
+        env:
+          BRANCH: "${{ github.ref_name }}"
+          SHA: ${{ needs.tag.outputs.sha }}
+        with:
+          github-token: ${{ secrets.BOT_GITHUB_TOKEN }}
+          script: |
+            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
+            const branch = process.env.BRANCH;
+            const sha = process.env.SHA;
+            const ref = `refs/heads/${branch}`;
+
+            await github.rest.git.updateRef({
+              owner,
+              repo,
+              ref,
+              sha,
+            });
+            console.log(`Updated branch ${branch} to ${sha}`);
+
       - name: Open a pull request to merge the release branch back to main
+        if: github.event.inputs.merge-back
         env:
           VERSION: ${{ needs.compute-version.outputs.version }}
         run: |

.github/workflows/tag.yaml

@@ -46,10 +46,6 @@ jobs:
         working-directory: tools/syn2mas
         run: npm version "${{ inputs.version }}" --no-git-tag-version
 
-      - name: Re-format package.json with biome
-        working-directory: tools/syn2mas
-        run: npx biome format --write package.json
-
       - name: Commit and tag using the GitHub API
         uses: actions/github-script@v7.0.1
         id: commit
@@ -142,11 +138,3 @@ jobs:
               sha: tagSha,
             });
             console.log("Created tag ref:", tag.data.url);
-
-            const ref = await github.rest.git.updateRef({
-              owner,
-              repo,
-              ref: `heads/${branch}`,
-              sha: commit,
-            });
-            console.log("Updated branch ref:", ref.data.url);