fix(release): authenticate release-please with PAT (enterprise blocks GITHUB_TOKEN PRs)

[Sam Gammon (sgammon)]

The first release run after merging #32 failed: the release-please job built the release branch but couldn't open the release PR —

GitHub Actions is not permitted to create or approve pull requests

This is an enterprise policy (not a repo/org toggle we can flip; the repo setting returns a 409 The enterprise does not allow GitHub Actions to create or approve pull requests). The standard fix is to have release-please authenticate with a user PAT instead of GITHUB_TOKEN — a PAT isn't subject to that Actions policy.

This passes the existing PUBLISH_TOKEN (classic PAT, repo+workflow) as release-please's token:. No new secret needed.

Once merged, the release workflow re-runs on main and release-please opens the v0.1.0 release PR.

Alternative (hardened, optional follow-up): a dedicated GitHub App token via actions/create-github-app-token instead of a classic PAT.

[Copilot]

Pull request overview

Updates the release workflow so release-please authenticates with a user PAT (PUBLISH_TOKEN) instead of GITHUB_TOKEN, working around an enterprise policy that blocks GitHub Actions from creating/approving pull requests. This keeps the existing automated release pipeline functional without introducing new secrets.

Changes:

• Pass secrets.PUBLISH_TOKEN as release-please-action’s token input so it can open the release PR under enterprise restrictions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 9 untouched benchmarks

---

_{Comparing fix/release-please-token (cf08055) with main (ed992ce)}