chore: skip github release and use gpg signed tag flow

[SoulPancake]

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to reference shared workflow definitions from a centralized repository.
  • Explicitly defined permissions for pull request workflows.
  • Modified release configuration to disable automatic GitHub release generation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.47%. Comparing base (d186a7a) to head (79dd437).

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #347   +/-   ##
=========================================
  Coverage     38.47%   38.47%           
  Complexity     1267     1267           
=========================================
  Files           198      198           
  Lines          7704     7704           
  Branches        900      900           
=========================================
  Hits           2964     2964           
  Misses         4591     4591           
  Partials        149      149           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Walkthrough

This PR centralizes GitHub Actions workflow references from openfga/sdk-generator to openfga/.github, updates permission declarations in the pr-title-check workflow, and modifies release-please configuration to disable GitHub release generation while removing draft settings.

Changes

Workflow Centralization and Release Configuration

Layer / File(s)	Summary
Centralize workflow references and add permissions .github/workflows/pr-title-check.yml, .github/workflows/main.yaml, .github/workflows/release-please.yml	Three CI/CD workflows update reusable workflow source references to use openfga/.github instead of openfga/sdk-generator. The pr-title-check workflow adds explicit top-level permissions: contents: read and job-level permissions: pull-requests: read declarations.
Update release-please configuration release-please-config.json	Configuration is updated to set skip-github-release: true, disabling GitHub release generation. The previous draft and force-tag-creation settings are removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openfga/java-sdk#341: Modifies the same GitHub Actions workflow wiring (undraft-release, pr-title-check, release-please) by switching reusable workflow sources between openfga/sdk-generator and openfga/.github.
• openfga/java-sdk#339: Modifies release-please-config.json alongside release-please.yml workflow to adjust release pipeline configuration.
• openfga/java-sdk#329: Changes release-please-config.json to modify release-please workflow behavior alongside workflow file updates.

Suggested reviewers

• rhamzeh
• curfew-marathon
• sergiught

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: skipping GitHub releases and switching to a GPG-signed tag flow, which aligns with the primary modifications in release-please-config.json and workflow updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/gpg-signed-tags-release-notes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Switches release-please configuration to skip GitHub release creation, in favor of a GPG-signed tag flow.

Changes:

• Remove draft: true and force-tag-creation: true from release-please config
• Add skip-github-release: true to release-please config

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/main.yaml:
- Line 157: The reusable workflow reference for the undraft-release job
currently uses the mutable ref
"openfga/.github/.github/workflows/undraft-release.yml@main"; replace that with
a pinned full-length commit SHA (e.g.,
openfga/.github/.github/workflows/undraft-release.yml@<full-commit-sha>) to make
the job deterministic. Locate the undraft-release job in main.yaml and update
the uses string to reference the exact commit SHA (you can obtain it with git
rev-parse or from the GitHub commit history for the openfga/.github repo) so the
action no longer tracks the moving main branch.

In @.github/workflows/pr-title-check.yml:
- Line 16: Replace the external reusable workflow references that use a mutable
branch with immutable commit SHAs: locate the `uses:
openfga/.github/.github/workflows/pr-title-check.yml@main` entry in
.github/workflows/pr-title-check.yml and replace `@main` with the specific
commit SHA from the openfga/.github repo; do the same for the `uses:
.../release-please.yml@main` reference (in .github/workflows/release-please.yml)
and the `uses: .../undraft-release.yml@main` reference (in
.github/workflows/main.yaml) so each `uses:` points to an exact commit SHA
instead of `@main`.

In @.github/workflows/release-please.yml:
- Line 39: The workflow is calling the reusable workflow with "uses:
openfga/.github/.github/workflows/release-please.yml@main" while passing
release/signing secrets (RELEASER_APP_CLIENT_ID, RELEASER_APP_PRIVATE_KEY,
GPG_PRIVATE_KEY, GPG_PASSPHRASE); replace the `@main` ref with an immutable commit
SHA for the reusable workflow (i.e., change "uses:
openfga/.github/.github/workflows/release-please.yml@main" to "uses:
openfga/.github/.github/workflows/release-please.yml@<commit-sha>") so upstream
changes cannot affect future releases, using the specific SHA from the upstream
repo's commit that you want to pin.

In `@release-please-config.json`:
- Line 5: The workflow runs an undraft-release step even though release-please
is configured with "skip-github-release": true in release-please-config.json, so
update the .github/workflows/main.yaml to stop depending on a release object:
either remove the undraft-release step or add a conditional guard (e.g., check
the release-please flag or an output/variable that indicates a release was
created) so undraft-release only runs when a release was actually created;
reference the release-please-config.json "skip-github-release" key and the
undraft-release step in main.yaml when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1533f485-05c0-42f5-845a-0f36efdcfdb6

📥 Commits

Reviewing files that changed from the base of the PR and between d186a7a and d6f16a6.

📒 Files selected for processing (4)

• .github/workflows/main.yaml
• .github/workflows/pr-title-check.yml
• .github/workflows/release-please.yml
• release-please-config.json