From 717d6aba0f15312f509f5c4999e34d71ecbab8a9 Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Thu, 16 Apr 2026 13:56:58 -0500
Subject: [PATCH] Add a release-gate step to the release workflow (#859)

---
 .github/workflows/release.yml | 73 ++++++++++++++++++++++++++++++-----
 1 file changed, 64 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0355c99..af17cb9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,31 +11,86 @@ on:
 permissions: {}
 
 jobs:
-  release:
-    name: Release
+  validate-release:
+    name: Validate release
     runs-on: ubuntu-latest
-    environment: release
     permissions:
-      contents: write
+      contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Validate version
+      - name: Validate version and draft release
         env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VERSION: ${{ inputs.version }}
+          TAG: v${{ inputs.version }}
         run: |
           if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
             echo "::error::Version must match MAJOR.MINOR.PATCH (e.g., 8.1.0)"
             exit 1
           fi
 
+          RELEASE_JSON=$(gh release view "$TAG" --json isDraft,targetCommitish 2>&1) || {
+            echo "::error::No release found for $TAG"
+            exit 1
+          }
+
+          IS_DRAFT=$(echo "$RELEASE_JSON" | jq -r '.isDraft')
+          TARGET=$(echo "$RELEASE_JSON" | jq -r '.targetCommitish')
+
+          if [[ "$IS_DRAFT" != "true" ]]; then
+            echo "::error::Release $TAG already exists and is not a draft"
+            exit 1
+          fi
+
+          if [[ "$TARGET" != "$GITHUB_SHA" ]]; then
+            echo "::error::Draft release target ($TARGET) does not match current commit ($GITHUB_SHA)"
+            exit 1
+          fi
+
+  release-gate:
+    # N.B. This name should not change, it is used for downstream checks.
+    name: release-gate
+    needs:
+      - validate-release
+    runs-on: ubuntu-latest
+    environment:
+      name: release-gate
+    steps:
+      - run: echo "Release approved"
+
+  create-deployment:
+    name: create-deployment
+    needs:
+      - validate-release
+      - release-gate
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    steps:
+      - run: echo "Release deployment created"
+
+  release:
+    name: Release
+    needs:
+      - validate-release
+      - release-gate
+      - create-deployment
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
       - name: Publish release
         env:
+          GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ inputs.version }}
           TAG: v${{ inputs.version }}
         run: |
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
+            echo "::error::Version must match MAJOR.MINOR.PATCH (e.g., 8.1.0)"
+            exit 1
+          fi
+
           RELEASE_JSON=$(gh release view "$TAG" --json isDraft,targetCommitish 2>&1) || {
             echo "::error::No release found for $TAG"
             exit 1