fix: push only tag in release workflow to avoid branch protection violation

[Copilot]

The Bump Version job in release.yml was pushing the version bump commit directly to main (git push origin HEAD --tags), which is rejected by branch protection rules requiring 25 status checks (GH013). The tag push succeeded; only the branch push failed.

Change

Replace the combined push with a tag-only push:

-git push origin HEAD --tags
+git push origin "v$VERSION"

Pushing a tag by ref transfers the underlying commit objects to the remote without updating refs/heads/main. All downstream jobs already check out by tag (ref: ${{ needs.bump-version.outputs.version }}), so they receive the version-bumped package.json without any other changes needed.

Original prompt

Fix the failing GitHub Actions workflow Bump Version
Analyze the workflow logs, identify the root cause of the failure, and implement a fix.
Job ID: 66808040693
Job URL: https://github.com/github/gh-aw-firewall/actions/runs/23007400980/job/66808040693

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.56%	82.70%	📈 +0.14%
Statements	82.57%	82.70%	📈 +0.13%
Functions	83.01%	83.01%	➡️ +0.00%
Branches	75.12%	75.20%	📈 +0.08%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.1% → 84.6% (+0.54%)	83.4% → 83.9% (+0.52%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Updates the release workflow to avoid branch protection failures during the version bump step by pushing only the release tag, not the bump commit, so downstream jobs can still check out and build from the tag.

Changes:

• Replace git push origin HEAD --tags with a tag-only push git push origin "v$VERSION" in the Bump Version job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pushing only the tag means the version-bump commit (with updated package.json/package-lock.json) never lands on the triggering branch. Since this job checks out the branch (main/v*.x) and runs npm version ... based on the version in that branch, the next release run will compute the same VERSION again and then fail when attempting to create/push an already-existing v$VERSION tag. Consider either (a) updating the workflow to base the bump on the latest v* tag (checkout latest tag before npm version), or (b) pushing the bump commit via a PR/merge mechanism that satisfies branch protection so the branch version advances between releases.

Suggested change

	git tag "v$VERSION"
	git tag "v$VERSION"
	# Push the version-bump commit to the current branch so its version advances
	git push origin HEAD
	# Push the corresponding version tag

[github-actions]

🏗️ Build Test Suite Results

⚠️ ALL CLONES FAILED — GitHub CLI is not authenticated in this environment (GH_TOKEN not set). Unable to clone any test repositories.

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	❌	N/A	❌ CLONE_FAILED
Bun	hono	❌	N/A	❌ CLONE_FAILED
C++	fmt	❌	N/A	❌ CLONE_FAILED
C++	json	❌	N/A	❌ CLONE_FAILED
Deno	oak	❌	N/A	❌ CLONE_FAILED
Deno	std	❌	N/A	❌ CLONE_FAILED
.NET	hello-world	❌	N/A	❌ CLONE_FAILED
.NET	json-parse	❌	N/A	❌ CLONE_FAILED
Go	color	❌	N/A	❌ CLONE_FAILED
Go	env	❌	N/A	❌ CLONE_FAILED
Go	uuid	❌	N/A	❌ CLONE_FAILED
Java	gson	❌	N/A	❌ CLONE_FAILED
Java	caffeine	❌	N/A	❌ CLONE_FAILED
Node.js	clsx	❌	N/A	❌ CLONE_FAILED
Node.js	execa	❌	N/A	❌ CLONE_FAILED
Node.js	p-limit	❌	N/A	❌ CLONE_FAILED
Rust	fd	❌	N/A	❌ CLONE_FAILED
Rust	zoxide	❌	N/A	❌ CLONE_FAILED

Overall: 0/8 ecosystems passed — ❌ FAIL

Error Details

All gh repo clone commands failed with:

gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
  env:
    GH_TOKEN: $\{\{ github.token }}

The GH_TOKEN environment variable is not available in this workflow run. To fix this, ensure the workflow step that runs this agent has GH_TOKEN (or equivalent) set in its environment.

Generated by Build Test Suite for issue #1258 · ◷