refactor(ci): move GitHub release creation after smoke tests, auto-cleanup on failure

Move GitHub release creation from semantic-release to the publish job,
ensuring it only happens after smoke tests pass. If smoke tests fail,
automatically clean up the release commit and tag from GitHub.

Changes:
- Remove @semantic-release/github plugin from .releaserc.yml
- Extract version from pyproject.toml in release job and pass to
  downstream jobs
- Add automatic cleanup in smoketest job if tests fail:
  - Verify HEAD commit is the release commit (sanity check)
  - Delete the release tag from remote
  - Revert the release commit with force push
- Move GitHub release creation to publish job using --notes-from-tag
- Use default GITHUB_TOKEN for creating releases (app token only needed
  for pushing to protected branch)

Benefits:
- GitHub releases only created after smoke tests pass
- Automatic cleanup if tests fail (no manual intervention needed)
- Simpler than preventing the tag/commit upfront
- Handles the common case (tests pass) with no changes to workflow time

Author: dividedmind

.github/workflows/release.yml

@@ -90,6 +90,13 @@ jobs:
             semantic-release
           fi
 
+      - name: Get version
+        if: env.DRY_RUN != 'true'
+        id: version
+        run: |
+          VERSION=$(grep '^version = ' pyproject.toml | cut -d'"' -f2)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
       - name: Upload wheel
         if: env.DRY_RUN != 'true'
         uses: actions/upload-artifact@v4
@@ -102,43 +109,90 @@ jobs:
         with:
           name: sdist
           path: dist/*.tar.gz
-    outputs:  # not reused in fact
-      release_tag: ${{ steps.semantic-release.outputs.next_release_tag }}
+    outputs:
+      version: ${{ steps.version.outputs.version }}
 
   smoketest:
     runs-on: ubuntu-latest
     needs: ['setup', 'release']
-    if: github.event.inputs.dry_run!='true' 
+    if: github.event.inputs.dry_run!='true'
     continue-on-error: ${{ needs.setup.outputs.distribution_name!='appmap' }}   # altered names won't work anyway
     steps:
+    - name: Generate token
+      uses: actions/create-github-app-token@v1
+      id: app-token
+      with:
+        app-id: ${{ secrets.RELEASE_APP_ID }}
+        private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
     - uses: actions/checkout@v5
+      with:
+        token: ${{ steps.app-token.outputs.token }}
     - uses: ./.github/actions/refetch-artifacts
     - name: dockerhub login (for seamless docker pulling)
       uses: ./.github/actions/dockerhub-login
       env:
         DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
         DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME    }}
       continue-on-error: true
-    - run: ci/scripts/run_tests.sh
+    - name: Run smoke tests
+      id: smoketest
+      run: ci/scripts/run_tests.sh
+      continue-on-error: true
       env:
         SMOKETEST_DOCKER_IMAGE: python:3.12-slim
         DISTRIBUTION_NAME: ${{ needs.setup.outputs.distribution_name }}
 
+    - name: Cleanup on failure
+      if: steps.smoketest.outcome == 'failure'
+      run: |
+        echo "::error::Smoke tests failed, cleaning up release v${{ needs.release.outputs.version }}"
+
+        # Sanity check: verify HEAD commit is the release commit
+        COMMIT_MSG=$(git log -1 --pretty=%s)
+        if [[ "$COMMIT_MSG" != "chore(release): ${{ needs.release.outputs.version }}"* ]]; then
+          echo "::error::HEAD commit message doesn't match expected release commit!"
+          echo "::error::Expected: chore(release): ${{ needs.release.outputs.version }}"
+          echo "::error::Got: $COMMIT_MSG"
+          echo "::error::Aborting cleanup - manual intervention required"
+          exit 1
+        fi
+
+        # Delete the tag from remote
+        git push --delete origin "v${{ needs.release.outputs.version }}" || true
+
+        # Reset to commit before the release commit and force push
+        git reset --hard HEAD~1
+        git push --force origin HEAD:${{ github.ref_name }}
+
+        exit 1
+
   # as a workaround to ownership issues (lost access to project)
   publish:
-    name: publish package on PyPI
-    needs: ['setup', 'release','smoketest']
+    name: publish package on PyPI and create GitHub release
+    needs: ['setup', 'release', 'smoketest']
     if:  ((  github.event.inputs.dry_run != 'true' ) && ( (needs.setup.outputs.publish_env == 'pypi') || (needs.setup.outputs.publish_env == 'testpypi') )  )
     runs-on: ubuntu-latest
     environment:
       name: ${{ needs.setup.outputs.publish_env }}
       url:  ${{ needs.setup.outputs.publish_to }}
     permissions:
       id-token: write
+      contents: write  # needed for creating GitHub releases
     steps:
       - uses: actions/checkout@v5
+        with:
+          ref: v${{ needs.release.outputs.version }}  # checkout the tag
+
       - uses: ./.github/actions/refetch-artifacts
 
+      - name: Create GitHub release
+        run: |
+          gh release create "v${{ needs.release.outputs.version }}" \
+            dist/*.whl dist/*.tar.gz \
+            --notes-from-tag
+        env:
+          GH_TOKEN: ${{ github.token }}
+
       - name: Publish to PyPI
         if:   needs.setup.outputs.publish_env=='pypi'
         uses: pypa/gh-action-pypi-publish@release/v1

.releaserc.yml

@@ -43,7 +43,5 @@ plugins:
 - - '@semantic-release/exec'
   - prepareCmd: |
       /bin/bash ./ci/scripts/build_with_poetry.sh
-- - '@semantic-release/github':
-  - assets:
-      - dist/*.whl
-      - dist/*.tar.gz
+# NOTE: @semantic-release/github plugin removed - GitHub release creation
+# now happens in the publish job after smoke tests pass