ci(release): migrate to Craft reusable workflow

[vaind]

Summary

Migrate from the deprecated action-prepare-release to Craft's reusable workflow.

This is a simplified approach compared to #141, using the reusable workflow pattern recommended in the Craft documentation.

Changes

• Switch to getsentry/craft/.github/workflows/release.yml@v2 reusable workflow
• Make version input optional (defaults to auto - inferred from conventional commits)
• Remove manual token/checkout steps (handled by reusable workflow)

Supersedes #141

🤖 Generated with Claude Code

[github-actions]

	Warnings
⚠️	Could not load custom Dangerfile: .github/test-dangerfile-curl.js Error: ENOENT: no such file or directory, lstat '/github/workspace/.github/test-dangerfile-curl.js'

Generated by 🚫 dangerJS against 78f9dd2

[BYK]

You need the special token for release bot otherwise your releases will fail

[jpnurmi]

Like this?

GraphQL: Resource not accessible by integration (createIssue)
Error: Process completed with exit code 1.

https://github.com/getsentry/github-workflows/actions/workflows/release.yml

[vaind]

@BYK I'm confused why do docs say to use the reusable workflow as the recommended way to set up?

FWIW I've ran this by Claude and this seams reasonable:

The problem in Craft's release.yml:

This step ONLY runs for the Craft repo itself

- name: Get auth token                                                                                                                                                                                                                                                                                                                
  id: token
  if: github.event_name == 'workflow_dispatch' && github.repository == 'getsentry/craft'
  uses: actions/create-github-app-token@...
  with:
    app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
    private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}

For external repos: uses github.token which can't create issues in getsentry/publish

- name: Prepare release
  if: github.repository != 'getsentry/craft'
  env:
    GITHUB_TOKEN: ${{ github.token }}  # <-- this is the problem

Since secrets: inherit already passes SENTRY_RELEASE_BOT_PRIVATE_KEY through, and vars.SENTRY_RELEASE_BOT_CLIENT_ID is available at the org level, the credentials are already there — Craft just doesn't use them for external repos.

What would need to change in Craft:

1. Remove the repository guard on the token step — or add a second token step for external repos:

  - name: Get auth token
    id: token
  - if: github.event_name == 'workflow_dispatch' && github.repository == 'getsentry/craft'
  - if: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY != '' }}

3. Use the app token (with fallback) in the external repos step:

- name: Prepare release
  if: github.repository != 'getsentry/craft'
  env:
-      GITHUB_TOKEN: ${{ github.token }}
+      GITHUB_TOKEN: ${{ steps.token.outputs.token || github.token }}

4. Same for the checkout step (already correct — it does ${{ steps.token.outputs.token || github.token }}).

An alternative Craft-side approach would be to add an explicit token secret to workflow_call:

  workflow_call:
    secrets:
      token:
        description: 'Token with cross-repo issue creation permissions'
        required: false

Then callers would generate the token themselves and pass it. But that's more boilerplate per-repo and defeats the purpose of the reusable workflow simplifying things.