By default our organization on GH only grants a more restricted read
permission to actions for content APIs, which include both writing to
repo for nightly tag creation, and writing to releases for nightly and
tag release creation or updates.
Release will be created as a draft, remaining private until manually published.
All generated artifacts will be uploaded, but will still need to be signed, and
the code archives still need to be created following
MAINTAINING.md#after-tagging
Fix#6345
* Tag is required to create a release, so tag "nightly" is moved to
latest commit on each run.
* Each time the tag is moved, the existing "nightly" release is updated
automatically by github to point to the new tag and bundle the new
commit's source code.
* Artifacts are uploaded with intentionally conflicting names to replace
last commit's version of artifacts, rather than deleting the whole
release and making a new one.
* This has two benefits, it doesn't notify of a new release on each
commit, and it doesn't leave a gap where there's no nightly release
available.
