From 4f7212ead2b6ed195515ec6df55be9220c2c09fd Mon Sep 17 00:00:00 2001 From: Derek <256792747+decofe@users.noreply.github.com> Date: Wed, 24 Jun 2026 14:30:46 +0000 Subject: [PATCH 1/3] ci: require manual release publishing --- .github/workflows/build.yml | 2 +- .github/workflows/release.yml | 49 ++++++++++++++++++++++++++++++----- 2 files changed, 44 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e031ea6..56028c8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -188,7 +188,7 @@ jobs: contents: write needs: [parse-tag, build] runs-on: ubuntu-latest - if: startsWith(github.ref, 'refs/tags/') + if: github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/') strategy: fail-fast: false matrix: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3150797..d263a87 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,14 +7,15 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} -permissions: - actions: write - contents: write - pull-requests: write +permissions: {} jobs: - release: + prepare: + if: github.event_name == 'push' runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -69,8 +70,44 @@ jobs: gh pr create --head "$BRANCH" --base main --title "chore: release ${VERSION}" --body "Version wallet-cli to ${VERSION} and update CHANGELOG.md." fi + release: + if: github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + environment: release + permissions: + actions: write + contents: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "22" + + - name: Setup pnpm + run: | + corepack enable + corepack prepare pnpm@11.0.8 --activate + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Apply pending changelogs + run: pnpm changelog:version + + - name: Check release tree is clean + run: | + if ! git diff --quiet; then + echo "Pending changelog changes exist. Merge the generated release PR before dispatching a release." >&2 + git diff -- package.json CHANGELOG.md .changelog + exit 1 + fi + - name: Create release tag when version is unreleased - if: steps.diff.outputs.changed == 'false' env: GH_TOKEN: ${{ github.token }} run: | From ef59d497d53e5bc1aca0444c5ac7e48c9bf75fc1 Mon Sep 17 00:00:00 2001 From: Derek <256792747+decofe@users.noreply.github.com> Date: Wed, 24 Jun 2026 15:03:51 +0000 Subject: [PATCH 2/3] chore: add release hardening changelog --- .changelog/release-process-hardening.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changelog/release-process-hardening.md diff --git a/.changelog/release-process-hardening.md b/.changelog/release-process-hardening.md new file mode 100644 index 0000000..f88ca83 --- /dev/null +++ b/.changelog/release-process-hardening.md @@ -0,0 +1,5 @@ +--- +wallet-cli: none +--- + +Require manual release workflow dispatch before creating GitHub releases or publishing release assets. From 35c6a78be09e1f79ba2116a4fbfb7b314e3b9b3e Mon Sep 17 00:00:00 2001 From: Derek <256792747+decofe@users.noreply.github.com> Date: Wed, 24 Jun 2026 15:10:24 +0000 Subject: [PATCH 3/3] ci: keep release diff guard --- .github/workflows/release.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d263a87..bfdfd52 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,14 +100,19 @@ jobs: run: pnpm changelog:version - name: Check release tree is clean + id: diff run: | - if ! git diff --quiet; then + if git diff --quiet; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" echo "Pending changelog changes exist. Merge the generated release PR before dispatching a release." >&2 git diff -- package.json CHANGELOG.md .changelog exit 1 fi - name: Create release tag when version is unreleased + if: steps.diff.outputs.changed == 'false' env: GH_TOKEN: ${{ github.token }} run: |