From 5e47e393f571a6a31d03353ff9cc12fc139adc03 Mon Sep 17 00:00:00 2001
From: Ivan Dlugos <dlugos.ivan@gmail.com>
Date: Thu, 18 Sep 2025 11:42:12 +0200
Subject: [PATCH 1/2] chore: add minimal Craft release tooling configuration

- Add .craft.yml with minimal configuration for GitHub-only releases
- Add release workflow with required version input
- Uses no-op preReleaseCommand since no version tracking needed
- Enables automated release management via craft
---
 .craft.yml                    |  5 +++++
 .github/workflows/release.yml | 36 +++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 .craft.yml
 create mode 100644 .github/workflows/release.yml

diff --git a/.craft.yml b/.craft.yml
new file mode 100644
index 00000000..48fd6df0
--- /dev/null
+++ b/.craft.yml
@@ -0,0 +1,5 @@
+minVersion: 0.23.1
+changelogPolicy: auto
+preReleaseCommand: pwsh -c ''
+targets:
+  - name: github
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000..e608856e
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,36 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to release
+        required: true
+      force:
+        description: Force a release even when there are release-blockers (optional)
+        required: false
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    name: "Release a new version"
+    steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Prepare release
+        uses: getsentry/action-prepare-release@v1
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        with:
+          version: ${{ github.event.inputs.version }}
+          force: ${{ github.event.inputs.force }}
\ No newline at end of file

From 339cef8b0631590a678c141789b4360ff59a67a5 Mon Sep 17 00:00:00 2001
From: Ivan Dlugos <dlugos.ivan@gmail.com>
Date: Thu, 18 Sep 2025 11:51:37 +0200
Subject: [PATCH 2/2] fix: add explicit permissions to release workflow

Adds 'permissions: contents: read' to limit GITHUB_TOKEN permissions
following security best practices. The workflow uses a GitHub App token
for privileged operations, so limiting the default token to read-only
is appropriate.
---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e608856e..ce163aed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,8 @@
 name: Release
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
     inputs: