Fix release-tag workflow to push only annotated tags to main (#87)

* fix release-tag workflow for release tag on main

The release-tag workflow checks out a commit (not a branch), leaving
git in detached HEAD state.  `git push origin HEAD` fails because git
cannot resolve the bare `HEAD` symbolic ref to a remote branch name.

Create a temporary local branch before committing and use an explicit
refspec (`tmp/release-vX.Y.Z:refs/heads/main`) so the push is an
unambiguous fast-forward to main.

* fix(release-tag): push only the tag, not the commit to main

Branch protection on main requires PRs, status checks, and code
scanning — direct pushes are rejected.  Instead of pushing the
version-bump commit to main, commit it locally and push only the
annotated tag ref.  Downstream release jobs check out by tag so
they receive the correct versioned code.

* fix(release-tag): push only the tag, not the commit to main

Branch protection on main requires PRs, status checks, and code
scanning — direct pushes are rejected.  Instead of pushing the
version-bump commit to main, commit it locally and push only the
annotated tag ref.  Downstream release jobs check out by tag so
they receive the correct versioned code.

Author: data-douser

.github/workflows/release-tag.yml

@@ -143,7 +143,7 @@ jobs:
 
           # workflow_call checkouts may leave us in detached HEAD when the
           # caller is triggered from a tag ref. Create a temporary local
-          # branch so that `git commit` works and we can push to main.
+          # branch so that `git commit` and `git tag` work correctly.
           TEMP_BRANCH="tmp/release-${TAG}"
           git checkout -B "${TEMP_BRANCH}"
 
@@ -160,13 +160,16 @@ jobs:
           else
             git commit -m "Release ${TAG}: update versions to ${RELEASE_NAME}"
             CURRENT_SHA=$(git rev-parse HEAD)
-            git push origin "${TEMP_BRANCH}:refs/heads/main"
             echo "✅ Committed version changes at ${CURRENT_SHA:0:8}"
           fi
 
-          # Create and push the tag
+          # Create the annotated tag on the (possibly new) commit and push
+          # it. We intentionally do NOT push the commit to main because
+          # branch protection rules require PRs and status checks. The
+          # tagged commit is reachable via the tag ref and is used by all
+          # downstream release jobs to build artifacts.
           git tag -a "${TAG}" -m "Release ${TAG}" "${CURRENT_SHA}"
-          git push origin "${TAG}"
+          git push origin "refs/tags/${TAG}"
           echo "✅ Created and pushed tag ${TAG} at commit ${CURRENT_SHA:0:8}"
           echo "tag_sha=${CURRENT_SHA}" >> $GITHUB_OUTPUT