ci: simplify publish workflow to comply with GitHub restrictions

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

.github/PULL_REQUEST_TEMPLATE.md

@@ -26,4 +26,4 @@
 - [ ] `socket_basics/version.py` updated to new version
 - [ ] `socket_basics/__init__.py` updated to the same version
 - [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:<new-version>`
-- [ ] `CHANGELOG.md` `[Unreleased]` section reviewed
+- [ ] `CHANGELOG.md` updated with human-authored release notes for this version

.github/workflows/_docker-pipeline.yml

@@ -7,11 +7,11 @@ name: _docker-pipeline (reusable)
 #
 # Two modes:
 #   push: false  →  build + smoke test + integration test (main image only)
-#   push: true   →  above + push to GHCR/Docker Hub + update floating v-tag
+#   push: true   →  above + push exact version tags to GHCR/Docker Hub
 #
 # Permissions required from the calling workflow:
 #   push: false  →  contents: read
-#   push: true   →  contents: write, packages: write
+#   push: true   →  contents: read, packages: write
 
 on:
   workflow_call:
@@ -41,7 +41,7 @@ on:
       tag_push:
         description: >
           True when the caller was triggered by a tag push (e.g. v2.0.0).
-          Controls the floating major-version tag update and the 'latest' Docker tag.
+          Controls semver metadata-action tagging for exact release tags.
           Passed explicitly rather than relying on github.ref_type inside the callee,
           since context propagation in reusable workflows can be ambiguous.
         type: boolean

.github/workflows/publish-docker.yml

@@ -80,64 +80,26 @@ jobs:
       DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
       DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
-  # ── Job 3: Create GitHub release + update CHANGELOG ────────────────────────
+  # ── Job 3: Create GitHub release ───────────────────────────────────────────
   # Runs once after the image is successfully pushed (not for workflow_dispatch
   # re-publishes — those don't create new releases).
-  # Generates categorised release notes from merged PR labels (.github/release.yml),
-  # creates the GitHub Release, then commits the CHANGELOG update back to main.
+  # Generates categorised release notes from merged PR labels (.github/release.yml).
+  # CHANGELOG updates are intentionally human-authored in the release PR so this
+  # workflow never needs to push commits to the protected default branch.
   create-release:
     needs: [resolve-version, build-test-push]
     if: github.ref_type == 'tag'
     permissions:
-      contents: write   # create GitHub release + commit CHANGELOG back to main
+      contents: write   # create GitHub release
     runs-on: ubuntu-latest
-    env:
-      VERSION: ${{ needs.resolve-version.outputs.version }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: main
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: 🤖 Generate socket-release-bot token
-        id: bot
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        with:
-          app-id: ${{ secrets.GH_BOT_APP_ID }}
-          private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }}
-          owner: SocketDev
-          repositories: socket-basics
-
       - name: 📝 Create GitHub release with auto-generated notes
         env:
-          GH_TOKEN: ${{ steps.bot.outputs.token }}
+          GH_TOKEN: ${{ github.token }}
           REF_NAME: ${{ github.ref_name }}
         run: |
           gh release create "$REF_NAME" \
             --title "$REF_NAME" \
             --generate-notes \
             --verify-tag \
           || echo "Release already exists (re-run scenario) — skipping creation"
-
-      - name: 📋 Update CHANGELOG.md
-        env:
-          GH_TOKEN: ${{ steps.bot.outputs.token }}
-          REF_NAME: ${{ github.ref_name }}
-        run: |
-          NOTES=$(gh release view "$REF_NAME" --json body --jq .body)
-          DATE=$(date +%Y-%m-%d)
-          echo "$NOTES" | python scripts/update_changelog.py \
-            --version "$VERSION" \
-            --date "$DATE"
-
-      - name: 🔀 Commit CHANGELOG back to main
-        env:
-          BOT_TOKEN: ${{ steps.bot.outputs.token }}
-        run: |
-          git config user.name "socket-release-bot[bot]"
-          git config user.email "socket-release-bot[bot]@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${BOT_TOKEN}@github.com/SocketDev/socket-basics.git"
-          git add CHANGELOG.md
-          git diff --cached --quiet || git commit -m "chore: release ${github.ref_name} — update CHANGELOG [skip ci]"
-          git push origin HEAD:main

scripts/update_changelog.py

@@ -2,9 +2,9 @@
 """
 update_changelog.py — Prepend a new release section to CHANGELOG.md.
 
-Called automatically by the publish-docker workflow after a GitHub Release
-is created. Reads the generated release notes, inserts a new version section
-immediately after [Unreleased], and updates the comparison links at the bottom.
+Legacy helper for applying generated release notes locally. The publish-docker
+workflow intentionally does not call this script anymore, because release
+changelog updates are human-authored in the release PR.
 
 Usage:
     # Notes from a file: