Merge pull request #296 from Wikid82/main

Propagate changes from main into development

.github/workflows/auto-changelog.yml

@@ -14,4 +14,4 @@ jobs:
       - name: Draft Release
         uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

.github/workflows/auto-versioning.yml

@@ -60,28 +60,42 @@ jobs:
           # Export the tag for downstream steps
           echo "tag=${TAG}" >> $GITHUB_OUTPUT
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+
+      - name: Determine tag
+        id: determine_tag
+        run: |
+          # Prefer created tag output; if empty fallback to semver version
+          TAG="${{ steps.create_tag.outputs.tag }}"
+          if [ -z "$TAG" ]; then
+            # semver.version contains a tag value like 'vX.Y.Z' or fallback 'v0.0.0'
+            VERSION_RAW="${{ steps.semver.outputs.version }}"
+            VERSION_NO_V="${VERSION_RAW#v}"
+            TAG="v${VERSION_NO_V}"
+          fi
+          echo "Determined tag: $TAG"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
 
       - name: Check for existing GitHub Release
         id: check_release
         run: |
-          TAG=${{ steps.create_tag.outputs.tag }}
+          TAG=${{ steps.determine_tag.outputs.tag }}
           echo "Checking for release for tag: ${TAG}"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
           if [ "${STATUS}" = "200" ]; then
             echo "exists=true" >> $GITHUB_OUTPUT
           else
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create GitHub Release (tag-only, no workspace changes)
         if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }}
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
-          tag_name: ${{ steps.create_tag.outputs.tag }}
-          name: Release ${{ steps.create_tag.outputs.tag }}
+          tag_name: ${{ steps.determine_tag.outputs.tag }}
+          name: Release ${{ steps.determine_tag.outputs.tag }}
           body: ${{ steps.semver.outputs.release_notes }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

.github/workflows/benchmark.yml

@@ -42,7 +42,7 @@ jobs:
           name: Go Benchmark
           tool: 'go'
           output-file-path: backend/output.txt
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.CHARON_TOKEN }}
           auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           # Show alert with commit comment on detection of performance regression
           alert-threshold: '150%'

.github/workflows/docker-publish.yml

@@ -169,7 +169,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           sarif_file: 'trivy-results.sarif'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create summary
         if: steps.skip.outputs.skip_build != 'true'

.github/workflows/release-goreleaser.yml

@@ -13,10 +13,10 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     env:
-      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
+      # Use the built-in CHARON_TOKEN by default for GitHub API operations.
       # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret
       # at the repo or organization level and update the env here accordingly.
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
@@ -47,7 +47,8 @@ jobs:
         with:
           version: 0.13.0
 
-      # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+      # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6

.github/workflows/renovate_prune.yml

@@ -26,15 +26,15 @@ jobs:
         run: |
           if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
             echo "Using CHARON_TOKEN" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
           else
             echo "Using CPMP_TOKEN fallback" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
           fi
       - name: Prune renovate branches
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
-          github-token: ${{ env.GITHUB_TOKEN }}
+          github-token: ${{ env.CHARON_TOKEN }}
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;