chore(deps): update softprops/action-gh-release action to v2.5.0

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Type	Update	Change
softprops/action-gh-release	action	minor	v2.4.2 -> v2.5.0

---

Release Notes

softprops/action-gh-release (softprops/action-gh-release)

v2.5.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in #​692

Other Changes 🔄

• chore(deps): bump the npm group across 1 directory with 5 updates by @​dependabot[bot] in #​697
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in #​689

New Contributors

• @​dumbmoron made their first contribution in #​692

Full Changelog: softprops/action-gh-release@v2.4.2...v2.5.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

PR Review: Update softprops/action-gh-release to v2.5.0

✅ Summary

This Renovate-generated PR updates the softprops/action-gh-release GitHub Action from v2.4.2 to v2.5.0 in the bump-version workflow. The change is minimal, low-risk, and follows the repository's security best practices.

---

🔍 Code Quality & Best Practices

✅ Excellent security practice: The PR maintains SHA-256 commit hash pinning (a06a81a03ee405af7f2048a818ed3f03bbf83c7b) alongside the version tag. This is a security best practice that prevents tag manipulation attacks.

✅ Consistent with repository patterns: The update follows the same pinning strategy used in other workflows (e.g., actions/checkout@1af3b93b... in both bump-version.yml and release.yml).

✅ Proper Renovate configuration: The repository uses config:best-practices and mergeConfidence:all-badges, which is appropriate for automated dependency updates.

---

🐛 Potential Issues

⚠️ New feature to be aware of: v2.5.0 introduces a new feature that marks releases as draft until all artifacts are uploaded (PR #692).

Impact assessment:

• Current workflow (.github/workflows/bump-version.yml:27-32): Creates a release with only a changelog body file
• New behavior: The release will now be marked as draft during upload, then published when complete
• Risk level: Low - this is an improvement for atomic releases, but worth monitoring the first execution

Recommendation: After merge, verify that the next automated version bump completes successfully and that releases are properly published (not left in draft state).

---

🚀 Performance Considerations

✅ No performance impact: This is a GitHub Action version bump with no changes to the workflow logic or execution pattern.

---

🔒 Security Concerns

✅ No security issues identified:

• Commit hash pinning is maintained and correct
• The update comes from the official upstream repository
• The new v2.5.0 release includes only dependency updates and a feature enhancement
• No breaking changes or security vulnerabilities reported

---

🧪 Test Coverage

✅ No test changes required: This is a workflow-only change that doesn't affect application code.

Validation recommendation: After merge, monitor the next automatic release (triggered on push to master) to ensure:

1. The bump-version workflow completes successfully
2. The GitHub release is created and published (not left in draft)
3. The changelog body is correctly attached

---

✅ Recommendation

APPROVE - This is a safe, well-formed dependency update that:

• Maintains security best practices (commit hash pinning)
• Includes a minor feature improvement (atomic draft releases)
• Has no breaking changes
• Follows repository conventions

The only action item is to monitor the next automated release after merge to confirm the new draft-then-publish behavior works as expected with this workflow's single-artifact pattern.