chore: skip github release and use gpg signed tag flow

[SoulPancake]

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configurations to use centralized shared workflows.
  • Modified release process configuration to skip automatic GitHub release creation.

[coderabbitai]

Walkthrough

This PR consolidates GitHub Actions reusable workflows from openfga/sdk-generator to a centralized openfga/.github repository across three workflow files, adds workflow permissions configuration, and updates release-please settings to skip GitHub release creation while removing legacy configuration options.

Changes

CI/CD Workflow Migration and Release Configuration

Layer / File(s)	Summary
Centralize reusable workflows to openfga/.github .github/workflows/main.yaml, .github/workflows/pr-title-conventional-commit.yml, .github/workflows/release-please.yml	Three workflow jobs update their uses: references to call reusable workflows from openfga/.github/.github/workflows/ instead of openfga/sdk-generator/.github/workflows/: undraft-release, pr-title-check, and release-please.
Configure workflow-level permissions .github/workflows/pr-title-conventional-commit.yml	The pr-title-conventional-commit workflow adds a top-level permissions block granting contents: read.
Update release-please configuration release-please-config.json	Release-please config removes top-level draft and force-tag-creation options, and adds skip-github-release: true to disable automatic GitHub release creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openfga/python-sdk#287: Both PRs modify reusable workflow wiring in main.yaml and pr-title-conventional-commit.yml, updating which workflows are invoked.
• openfga/python-sdk#267: Both PRs modify release-please-config.json to change release-please behavior and configuration options.
• openfga/python-sdk#262: The PR's change to release-please.yml reusable workflow reference overlaps with this PR's consolidation to openfga/.github.

Suggested reviewers

• rhamzeh
• sergiught

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: skipping GitHub releases and adopting GPG-signed tag flow, which aligns with the configuration update in release-please-config.json and workflow reference updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/gpg-signed-tags-release-notes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.93%. Comparing base (2a9d14e) to head (f87272f).

❌ Your project status has failed because the head coverage (69.93%) is below the target coverage (80.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #293   +/-   ##
=======================================
  Coverage   69.93%   69.93%           
=======================================
  Files         142      142           
  Lines       10774    10774           
=======================================
  Hits         7535     7535           
  Misses       3239     3239           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adjusts the repository’s release-please configuration to stop creating GitHub Releases as part of the release-please flow, aligning with a “signed tag” release process.

Changes:

• Remove release-please GitHub Release drafting/forced tag creation settings.
• Add skip-github-release: true to disable GitHub Release creation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/main.yaml (1)

120-125: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

undraft-release job conflicts with skip-github-release: true.

The release-please config now sets skip-github-release: true, which means release-please no longer creates a GitHub release (not even a draft) for tagged versions. This undraft-release job exists specifically to flip an existing draft release to published. With no release created, this job has nothing to operate on and will either no-op or fail (e.g., release-not-found) on every tag push.

Given the PR's stated intent to skip GitHub releases and rely on GPG-signed tags, this job appears to be leftover and should likely be removed (along with the needs: [publish]/permissions wiring). Please confirm whether undraft-release.yml on openfga/.github tolerates a missing release before keeping it.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/main.yaml around lines 120 - 125, The undraft-release job
is now obsolete because release-please is configured with skip-github-release:
true so no draft release is created; remove the undraft-release job block (the
undraft-release job name and its uses:
openfga/.github/.github/workflows/undraft-release.yml@main plus its needs:
[publish] and permissions: contents: write wiring) from the workflow, or
alternatively gate it behind a check that release-please creates a release; if
you prefer to keep it instead of deleting, explicitly verify call to
undraft-release.yml tolerates a missing release and add a conditional input or
if-check tied to the release-please behavior before keeping undraft-release and
its publish dependency.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yaml:
- Line 125: The reusable workflow reference "uses:
openfga/.github/.github/workflows/undraft-release.yml@main" is invalid because
the target ref doesn't contain a .github/workflows file; update the `uses:` to
point to an existing reusable workflow in the correct repo/path or pin to a
specific commit SHA—e.g., change the reference to the proper repository/path
that actually contains undraft-release.yml (or replace `@main` with the commit SHA
or valid branch on the repo that contains the workflow); ensure the `uses:`
entry is a valid reusable-workflow reference so the release pipeline can run.

---

Outside diff comments:
In @.github/workflows/main.yaml:
- Around line 120-125: The undraft-release job is now obsolete because
release-please is configured with skip-github-release: true so no draft release
is created; remove the undraft-release job block (the undraft-release job name
and its uses: openfga/.github/.github/workflows/undraft-release.yml@main plus
its needs: [publish] and permissions: contents: write wiring) from the workflow,
or alternatively gate it behind a check that release-please creates a release;
if you prefer to keep it instead of deleting, explicitly verify call to
undraft-release.yml tolerates a missing release and add a conditional input or
if-check tied to the release-please behavior before keeping undraft-release and
its publish dependency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 422a67e8-dd1d-4c87-b799-9adccb177f18

📥 Commits

Reviewing files that changed from the base of the PR and between 2a9d14e and 8a533d3.

📒 Files selected for processing (4)

• .github/workflows/main.yaml
• .github/workflows/pr-title-conventional-commit.yml
• .github/workflows/release-please.yml
• release-please-config.json