fix: use PAT instead of GITHUB_TOKEN for release tag workflow

[eggshell]

Pull Request Description

What and why?

The create_release_tag workflow uses the default GITHUB_TOKEN to push tags and create releases. GitHub Actions intentionally prevents events created by GITHUB_TOKEN from triggering other workflows, which means the pypi.yaml workflow (triggered on push: tags: v*.*.*) never fires after a tag is created.

This PR switches to a PAT (LIBRARY_RELEASE_PAT) for both the checkout token (used by git push) and the gh release create step, allowing downstream workflows to trigger.

How to test

1. Add a LIBRARY_RELEASE_PAT repo secret with a PAT that has contents: write scope
2. Run the "Create Release Tag" workflow
3. Verify the PyPI publish workflow triggers on the new tag

What needs special review?

• Ensure the LIBRARY_RELEASE_PAT secret is created in the repo before merging

Dependencies, breaking changes, and deployment notes

• Requires a new repo secret: LIBRARY_RELEASE_PAT (PAT with contents: write permission)
• No breaking changes

Release notes

Checklist

• What and why
• Screenshots or videos (Frontend)
• How to test
• What needs special review
• Dependencies, breaking changes, and deployment notes
• Labels applied
• PR linked to Shortcut
• Unit tests added (Backend)
• Tested locally
• Documentation updated (if required)
• Environment variable additions/changes documented (if required)

[github-actions]

Pull requests must include at least one of the required labels: internal (no release notes required), highlight, enhancement, bug, deprecation, documentation. Except for internal, pull requests must also include a description in the release notes section.

[github-actions]

PR Summary

This pull request updates the release creation workflow to use the LIBRARY_RELEASE_PAT secret instead of the default GITHUB_TOKEN in two key areas:

1. In the GitHub checkout action, a new parameter token is added with the value ${{ secrets.LIBRARY_RELEASE_PAT }}. This enables the checkout step to use the release-specific token for operations that might require elevated privileges or a different permission set.

2. In the final step where the release tag is created, the environment variable GITHUB_TOKEN has been replaced with ${{ secrets.LIBRARY_RELEASE_PAT }}. This ensures that subsequent actions that depend on the token for creating releases and generating notes are authenticated with the correct token.

These changes are focused on enhancing the release process by switching to a different secret token, likely to allow improved control over token permissions or to address specific requirements of the release management process.

Test Suggestions

• Validate that the workflow triggers correctly when a release is created and that it uses the LIBRARY_RELEASE_PAT for authentication.
• Manually trigger the workflow in a test environment to confirm that releases are properly created and notes are generated without errors.
• Check that the token substitution works as expected by inspecting logs or output variables, ensuring that the correct token is used at each step.

[github-actions]

Pull requests must include at least one of the required labels: internal (no release notes required), highlight, enhancement, bug, deprecation, documentation. Except for internal, pull requests must also include a description in the release notes section.