fix: generate changelog at release time via artifact instead of direct push

.github/workflows/dotnet.yml

@@ -81,56 +81,39 @@ jobs:
     - name: List working directory
       run: ${{ matrix.dir_command }}
 
-  # Generate and commit a changelog on every push to main.
-  # On pull requests this job passes without committing because:
-  #   - Fork PRs cannot receive pushes via GITHUB_TOKEN (GitHub security boundary).
-  #   - The changelog is auto-generated from merged PRs, so it only needs to be
-  #     up-to-date on main, not in every PR branch.
-  # Commits made with GITHUB_TOKEN do not trigger new workflow runs, so there is
-  # no risk of an infinite loop.
+  # Changelog generation.
+  # On pull requests: passes without action — changelog is generated at release time.
+  # On push to main: generates the changelog as an artifact for the create_release job.
+  # The changelog is NOT committed to the repo because the org-level branch protection
+  # ruleset blocks direct pushes to main (even from GITHUB_TOKEN).
   create_changelog:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
     steps:
-      #### PUSH TO MAIN — generate, commit, and push the changelog ####
-      - name: Checkout main
+      - name: Checkout code
         if: ${{ github.event_name == 'push' }}
         uses: actions/checkout@v4
         with:
           ref: main
 
-      - name: Configure git
-        if: ${{ github.event_name == 'push' }}
-        run: |
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
-
       - name: Generate changelog
         if: ${{ github.event_name == 'push' }}
         uses: tj-actions/github-changelog-generator@v1.19
         with:
           output: CHANGELOG.md
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Commit changelog
+      - name: Upload changelog artifact
         if: ${{ github.event_name == 'push' }}
-        run: |
-          git add CHANGELOG.md
-          if git diff-index --quiet HEAD; then
-            echo "No changelog changes to commit."
-          else
-            git commit -m "Update changelog"
-            git push
-          fi
-
-      #### PULL REQUEST — nothing to commit; just pass ####
+        uses: actions/upload-artifact@v4
+        with:
+          name: changelog
+          path: CHANGELOG.md
 
-      - name: Skip changelog commit for PRs
+      - name: Skip for PRs
         if: ${{ github.event_name == 'pull_request' }}
-        run: echo "Changelog will be updated automatically when this PR is merged to main."
-
-      #### OTHER EVENTS — nothing to do ####
+        run: echo "Changelog will be generated at release time when this PR is merged to main."
 
       - name: No-op for other events
         if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }}
@@ -162,16 +145,16 @@ jobs:
     # Checkout the main branch and fetch tags.
     - name: Checkout code
       if: ${{ github.event_name == 'push' }}
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Full history needed for tag discovery.
 
-    # Checkout the main branch so we can see the correct tag set.
-    - name: Fetch and checkout main
+    # Download the changelog generated by the create_changelog job.
+    - name: Download changelog
       if: ${{ github.event_name == 'push' }}
-      run: |
-        git config --local user.email "action@github.com"
-        git config --local user.name "GitHub Action"
-        git fetch
-        git checkout main
+      uses: actions/download-artifact@v4
+      with:
+        name: changelog
 
     # Create a semantically versioned tag that increments the last release.
     #   If the last release is a pre-release, increment the pre-release number, so v1.2.3-pre4 becomes v1.2.3-pre5.