name: CI (Release)
on:
  push:
    tags:
      - 'v[0-9]*'

# Tags must never be cancelled — each is a public release
concurrency:
  group: ci-release-${{ github.ref_name }}
  cancel-in-progress: false

# Workflow-level permissions set the ceiling for the reusable ci.yml.
# id-token is never in the default token, so it must be granted explicitly
# here — otherwise the ci: job's `permissions:` block exceeds the caller
# workflow's permissions and GitHub rejects the run with startup_failure.
permissions:
  actions: read
  contents: write
  packages: write
  id-token: write

jobs:
  ci:
    uses: ./.github/workflows/ci.yml
    secrets: inherit
    permissions:
      actions: read
      contents: write
      packages: write
      id-token: write