fix: use GITHUB_TOKEN for PR creation in tag-release

[brayniac]

Summary

The v2.0.0 release surfaced a token-permissions bug in tag-release.yml: the tag push and crates.io publish succeeded, but the automated dev-version bump PR failed to open:

pull request create failed: GraphQL: Resource not accessible by personal access token (createPullRequest)

Root cause

The workflow uses RELEASE_TOKEN (a PAT) for gh pr create so that pushes can trigger downstream workflows — PATs with contents: write do, but GITHUB_TOKEN doesn't. However, the job-level permissions: pull-requests: write only configures GITHUB_TOKEN; it has no effect on PATs. The RELEASE_TOKEN PAT was never granted pull_requests scope.

Fix

Use GITHUB_TOKEN (which has pull-requests: write from the job's permissions block) only for gh pr create. Keep RELEASE_TOKEN for all git pushes so tag and branch pushes continue to trigger their downstream workflows.

One-line env change plus a comment explaining the split.

Test plan

• Next release runs tag-release and successfully opens the bump PR end-to-end (verifiable on the next release cycle).
• Manual workaround for v2.0.0 → 2.0.1-alpha.0 bump landed via chore: bump to 2.0.1-alpha.0 for next development iteration #12.

🤖 Generated with Claude Code