From 90fbd8f3b83467c7a20eba90c927e7bcf2b2c1f0 Mon Sep 17 00:00:00 2001
From: Norm Provost <norman.provost@intercom.io>
Date: Thu, 25 Jun 2026 14:36:15 -0400
Subject: [PATCH 1/2] Add release workflow for tagging

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 54 +++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..eb7a4fa
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,54 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release (semver, no leading v — e.g. 5.0.3)"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    environment: master
+    steps:
+      - name: Validate version
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Version must be semver (e.g. 5.0.3 or 5.0.3-beta.1)"
+            exit 1
+          fi
+
+      - name: Mint App installation token
+        id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          app-id: ${{ secrets.PACKAGIST_PUBLISHER_APP_ID }}
+          private-key: ${{ secrets.PACKAGIST_PUBLISHER_PRIVATE_KEY }}
+
+      - name: Create annotated tag on master HEAD
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          VERSION: ${{ inputs.version }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          SHA=$(gh api "repos/$REPO/commits/master" --jq .sha)
+          echo "Tagging $SHA as $VERSION"
+
+          TAG_OBJ=$(gh api -X POST "repos/$REPO/git/tags" \
+            -f tag="$VERSION" \
+            -f message="Release $VERSION" \
+            -f object="$SHA" \
+            -f type=commit \
+            --jq .sha)
+
+          gh api -X POST "repos/$REPO/git/refs" \
+            -f ref="refs/tags/$VERSION" \
+            -f sha="$TAG_OBJ"

From 43719955fdf0d7438a899f903c44c2ac7ed3e9eb Mon Sep 17 00:00:00 2001
From: Norm Provost <norman.provost@intercom.io>
Date: Thu, 25 Jun 2026 14:39:20 -0400
Subject: [PATCH 2/2] Scope app token to contents:write only

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eb7a4fa..5e73e66 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,6 +31,7 @@ jobs:
         with:
           app-id: ${{ secrets.PACKAGIST_PUBLISHER_APP_ID }}
           private-key: ${{ secrets.PACKAGIST_PUBLISHER_PRIVATE_KEY }}
+          permission-contents: write
 
       - name: Create annotated tag on master HEAD
         env: