fix: use built-in token for rolling PR workflow

[namastex888]

Summary

• switch Rolling PR Maintenance from stale RELEASE_PLEASE_TOKEN to ${{ github.token }}
• make the helper exit cleanly when the dev -> main PR already exists or when dev is not ahead
• document that long-lived production RLMX checkouts track main; source work uses short-lived drogo/<topic> branches

Verification

• PyYAML parsed .github/workflows/rolling-pr.yml
• extracted workflow shell passed bash -n
• security diff scan: no findings
• npm run check
• npm test — 377 passing, 0 failing
• independent reviewer: passed; no security concerns or logic errors

Summary by CodeRabbit

• Documentation

  • Clarified release branch guidance, designating the main branch as the canonical release target.
  • Updated branching strategy documentation for focused development work and contribution guidelines.

• Chores

  • Enhanced automation workflow for improved reliability and robustness in rolling PR creation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a6a41db-00f7-4adf-8122-78b3bcdaf8c6

📥 Commits

Reviewing files that changed from the base of the PR and between 47e1244 and f7cb8be.

📒 Files selected for processing (2)

• .github/workflows/rolling-pr.yml
• docs/release-contract.md

---

📝 Walkthrough

Walkthrough

This PR hardens the rolling PR workflow with improved safety and token handling, while expanding release branch strategy documentation. The workflow now uses the built-in GitHub token, strict shell options, and safer PR detection logic with guards for existing PRs and commits ahead of main. Documentation clarifies that main is the canonical release branch and short-lived topic branches should be used for focused work.

Changes

Rolling PR Workflow and Release Strategy

Layer / File(s)	Summary
Rolling PR workflow robustness and detection .github/workflows/rolling-pr.yml	The workflow switches from a custom token to ${{ github.token }}, enables strict shell options (set -euo pipefail), implements safe PR-number extraction via jq, adds an early exit when a rolling PR already exists, guards PR creation with a check for commits ahead of main, and moves the creation-success log message into the creation code path.
Release branch strategy documentation docs/release-contract.md	Release contract documentation is expanded to define main as the canonical release branch for long-lived production checkouts and prescribe short-lived drogo/<topic> branches for focused work that must be merged back to main.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rolling PR keeps the workflow clean,
With tokens built-in and logic serene,
No lingering branches, no lingering doubt—
Just short-lived topics that flow in and out! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a custom token with the built-in GitHub token in the rolling PR workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch drogo/fix-rolling-pr-token

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the release contract documentation in docs/release-contract.md to clarify that main is the expected branch for long-lived production checkouts. It also advises using short-lived drogo/ branches for focused changes and returning the production checkout to main after merging, rather than maintaining a long-lived drogo/prod-rlmx branch. There are no review comments, and I have no additional feedback to provide.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f7cb8be88a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use an app/PAT token so PR CI runs automatically

For the scheduled path that creates a new dev -> main PR, replacing the PAT with ${{ github.token }} means the repository's pull_request workflows (.github/workflows/ci.yml and commitlint.yml, both filtered to main/dev) will not run automatically; GitHub documents that PRs created/updated with GITHUB_TOKEN put resulting pull_request runs in an approval-required state, while a GitHub App token or PAT lets them run automatically (https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow). That breaks the rolling PR's intended unattended check/ready state after creation until someone manually approves the workflows.

Useful? React with 👍 / 👎.