feat(ci): add manual release workflow with tag management

Switch the release workflow from tag-triggered pushes to manual dispatch and automate release preparation from main. This validates the version, builds and commits the release artifact on a release branch, creates versioned major/minor tags, and publishes the GitHub release to make releases safer and more repeatable.feat(ci): add manual release workflow with tag management

Switch the release workflow from tag-triggered pushes to manual dispatch and automate release preparation from main. This validates the version, builds and commits the release artifact on a release branch, creates versioned major/minor tags, and publishes the GitHub release to make releases safer and more repeatable.

Author: failuresmith

.github/workflows/release.yml

@@ -1,9 +1,13 @@
 name: release
 
 on:
-  push:
-    tags:
-      - 'v*'
+  workflow_dispatch:
+    inputs:
+      update_minor_tag:
+        description: Also move the vX.Y tag to this release
+        required: false
+        default: true
+        type: boolean
 
 permissions: {}
 
@@ -18,19 +22,86 @@ jobs:
         with:
           persist-credentials: false
       - uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
+        fetch-depth: 0
         with:
           version: 8.15.4
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: pnpm
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm run lint
-      - run: pnpm run typecheck
-      - run: pnpm run coverage
-      - run: pnpm run validate
-      - run: pnpm run build
-      - run: test -f action.yml
-      - uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Ensure branch is main
+        run: |
+          if [ "${GITHUB_REF_NAME}" != "main" ]; then
+            echo "Release workflow must run from main. Current ref: ${GITHUB_REF_NAME}"
+            exit 1
+          fi
+
+      - name: Read version from package.json
+        id: meta
+        run: |
+          VERSION="$(node -p "require('./package.json').version")"
+          if ! printf '%s' "$VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "package.json version must be full semver like 1.2.3"
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=v$VERSION" >> "$GITHUB_OUTPUT"
+          echo "major_tag=v${VERSION%%.*}" >> "$GITHUB_OUTPUT"
+          echo "minor_tag=v$(printf '%s' "$VERSION" | cut -d. -f1,2)" >> "$GITHUB_OUTPUT"
+          echo "release_branch=release" >> "$GITHUB_OUTPUT"
+
+      - name: Ensure version tag does not already exist
+        run: |
+          if git ls-remote --exit-code --tags origin "refs/tags/${{ steps.meta.outputs.tag }}" >/dev/null 2>&1; then
+            echo "Tag ${{ steps.meta.outputs.tag }} already exists on origin"
+            exit 1
+          fi
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Validate source branch
+        run: pnpm run check
+
+      - name: Create release branch from main
+        run: |
+          git switch --create "${{ steps.meta.outputs.release_branch }}" || git switch "${{ steps.meta.outputs.release_branch }}"
+          git reset --hard "origin/main"
+
+      - name: Build release artifact
+        run: pnpm run build
+
+      - name: Commit release artifact
+        run: |
+          git add -f dist/index.js
+          git commit -m "chore(release): publish ${{ steps.meta.outputs.tag }}" \
+            -m "Build the GitHub Action artifact from package.json version ${{ steps.meta.outputs.version }}."
+
+      - name: Create release tags
+        run: |
+          git tag -a "${{ steps.meta.outputs.tag }}" -m "Release ${{ steps.meta.outputs.tag }}"
+          git tag -fa "${{ steps.meta.outputs.major_tag }}" -m "Release ${{ steps.meta.outputs.major_tag }} -> ${{ steps.meta.outputs.tag }}"
+          if [ "${{ inputs.update_minor_tag }}" = "true" ]; then
+            git tag -fa "${{ steps.meta.outputs.minor_tag }}" -m "Release ${{ steps.meta.outputs.minor_tag }} -> ${{ steps.meta.outputs.tag }}"
+          fi
+
+      - name: Push release branch and tags
+        run: |
+          git push origin HEAD:${{ steps.meta.outputs.release_branch }} --force-with-lease
+          git push origin "${{ steps.meta.outputs.tag }}"
+          git push origin "${{ steps.meta.outputs.major_tag }}" --force
+          if [ "${{ inputs.update_minor_tag }}" = "true" ]; then
+            git push origin "${{ steps.meta.outputs.minor_tag }}" --force
+          fi
+
+      - name: Publish GitHub Release
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
+          tag_name: ${{ steps.meta.outputs.tag }}
           generate_release_notes: true

.github/workflows/self-test.yml

@@ -16,6 +16,15 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
+      - uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
+        with:
+          version: 8.15.4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
       - uses: ./
         with:
           github-token: ${{ github.token }}
@@ -31,6 +40,15 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
+      - uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
+        with:
+          version: 8.15.4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: 20
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm run build
       - id: policy-gate
         continue-on-error: true
         uses: ./

README.md

@@ -69,4 +69,4 @@ make build
 
 ## Release
 
-Tag a version like `v1.0.0` to run the release workflow. The repository uses PolyForm Noncommercial 1.0.0.
+Keep `main` source-only. To publish, run the `release` workflow manually from `main`. The workflow reads the version from `package.json`, validates the repo, creates a release commit on the dedicated `release` branch with `dist/index.js`, tags `vX.Y.Z`, and moves `vX` so consumers can keep using `uses: failuresmith/github-policy-gate@v1`. The repository uses PolyForm Noncommercial 1.0.0.