ci: update V1_LATEST_TAG repo variable on stable releases

[kjiang-ac]

Problem

The hermes release-auggie-v2 workflow publishes v2 releases to this repo and needs to restore "latest" back to the v1 stable release afterwards. It reads a repo variable (V1_LATEST_TAG) to know which tag to re-point to.

Solution

After the bun-compile workflow creates a stable (non-prerelease) v1 release, update the V1_LATEST_TAG repo variable to the newly released version. This keeps the variable in sync automatically.

Changes

• Added variables: write permission to the release job
• Added "Update V1_LATEST_TAG variable" step that runs only for stable releases

Setup

• V1_LATEST_TAG repo variable has been created with initial value v0.24.0
• Verified the API call works via gh api --method PATCH

Companion PR

• hermes PR #176 — reads V1_LATEST_TAG and re-points latest after each v2 release

[kjiang-ac]

auggie review

[github-actions]

Review submitted with one comment about ensuring the variable update step uses credentials that can write repository variables.

---

🤖 Automated review complete. Please react with 👍 or 👎 on the individual review comments to provide feedback on their usefulness.

[github-actions]

Could we avoid using github.token for this API call? The repository variables endpoint requires repository Variables: write permission, which the workflow GITHUB_TOKEN does not expose/grant here, so this step is likely to fail with Resource not accessible by integration after the release has already been created.

Current code:

GH_TOKEN: ${{ github.token }}

Suggested improvement:

GH_TOKEN: ${{ secrets.VARIABLES_WRITE_TOKEN }}

Consider using a GitHub App token or fine-grained PAT secret scoped to repository variables write access (plus metadata read) for just this update step.

[kjiang-ac]

Good catch. Instead of a separate PAT, I added variables: write to the job's permissions block, which grants the GITHUB_TOKEN access to update repo variables. Verified the API call works — pushed in d3b28b6.

[augment-app-staging]

Review completed. 1 suggestion posted.

Code Review Triage 🛡️ · Requires Review

Justification

This PR changes release automation behavior by updating a repository variable from a GitHub Actions workflow (in an opted-out `.github/` directory), which can impact release pipelines.

Reach out to #feedback-code-review-agent for feedback

Comment augment review to trigger a new review at any time.

[augment-app-staging]

This step updates a repository Actions variable via the Actions API, but the release job only grants contents: write; with restricted job permissions, GITHUB_TOKEN may lack actions: write and this call can 403 at runtime.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎}

[kjiang-ac]

The required permission is variables: write, not actions: write. Per GitHub docs, the fine-grained token needs "Variables" repository permissions (write). This has been added to the job's permissions block in d3b28b6.

[augment-app-staging]

Review completed. 1 suggestion posted.

Code Review Triage 🛡️ · Requires Review

Justification

This PR changes a release workflow under `.github/` and adds new write permissions plus a post-release API call that mutates a repository variable.

Reach out to #feedback-code-review-agent for feedback

Comment augment review to trigger a new review at any time.

[augment-app-staging]

contains() in GitHub expressions is case-insensitive, while the prerelease detection in the Create GitHub Release step uses a bash glob match that is case-sensitive; mixed-case versions could cause the release type and the V1_LATEST_TAG update decision to diverge.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎}