fix: dispatch the Release pipeline on the tag ref (#145)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Thomas Kosiewski <tk@coder.com>

Author: ThomasK33

.github/workflows/release-please.yml

@@ -70,7 +70,11 @@ jobs:
           set -euo pipefail
           read -ra tags <<< "$RELEASE_TAGS"
           for tag in "${tags[@]}"; do
-            gh workflow run release.yml --field "tag=$tag"
+            # Dispatch on the tag ref (not the default branch) so the run is
+            # attributed to the tag like the old `push: tags` flow, and the
+            # OIDC claims behind npm trusted publishing/provenance reference
+            # the tag instead of whatever main's head happens to be.
+            gh workflow run release.yml --ref "$tag" --field "tag=$tag"
           done
 
       # Branch pushes made with the workflow token never trigger