From 4fe70f6965c64529ea56f201f19a6ab0bc1edeab Mon Sep 17 00:00:00 2001
From: Johannes Altmanninger <aclopte@gmail.com>
Date: Mon, 22 Sep 2025 17:09:13 +0200
Subject: [PATCH] github release workflow: only run on explicit dispatch

Release automation can be tested on any GitHub fork, using

	build_tools/release.sh $version $repository_owner $git_remote

which should work perfectly except for macOS packages (which fail
unless provided GitHub secrets).

People might push tags to their forks, both non-release tags (which
would trigger an early failure in "is-release-tag") or replicas of
our actual release tags (which would create a draft release etc. and
only fail when building macOS packages).

Run on explicit workflow dispatch to make sure it's not triggered by
accident like that.

This means that we'll use the .github/workflows/release.yml from
the default branch (i.e. master), so try to make sure it matches the
version in the release, to prevent accidents.

Closes #11816

(cherry picked from commit 01361b92175b0f70bc26063929c9616f58fc698b)
---
 .github/workflows/release.yml | 32 +++++++++++++++++---------------
 build_tools/release.sh        |  5 +++++
 2 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 311ffca87..471c1cf12 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,11 @@
 name: Create a new release
 
-on:
-  push:
-    tags:
-      - '*.*.*'
+on: workflow_dispatch
+inputs:
+  version:
+    description: 'Version to release (tag name)'
+    required: true
+    type: string
 
 permissions:
   contents: write
@@ -16,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
       - name: Check if the pushed tag looks like a release
         run: |
           set -x
@@ -36,7 +38,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
       - name: Install dependencies
         run: sudo apt install cmake gettext ninja-build python3-pip python3-sphinx
       - name: Create tarball
@@ -87,7 +89,7 @@ jobs:
         with:
           name: source-tarball
           path: |
-            /tmp/fish-built/fish-${{ github.ref_name }}.tar.xz
+            /tmp/fish-built/fish-${{ inputs.version }}.tar.xz
             /tmp/fish-built/release-notes.md
           if-no-files-found: error
 
@@ -99,7 +101,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
       - name: Install Rust Stable
         uses: ./.github/actions/rust-toolchain@stable
         with:
@@ -125,7 +127,7 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: Static builds for Linux
-          path: fish-${{ github.ref_name }}-linux-*.tar.xz
+          path: fish-${{ inputs.version }}-linux-*.tar.xz
           if-no-files-found: error
 
   create-draft-release:
@@ -139,7 +141,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
       - name: Download all artifacts
         uses: actions/download-artifact@v4
         with:
@@ -150,13 +152,13 @@ jobs:
       - name: Create draft release
         uses: softprops/action-gh-release@v2
         with:
-          tag_name: ${{ github.ref_name }}
-          name: fish ${{ github.ref_name }}
+          tag_name: ${{ inputs.version }}
+          name: fish ${{ inputs.version }}
           body_path: /tmp/artifacts/release-notes.md
           draft: true
           files: |
-            /tmp/artifacts/fish-${{ github.ref_name }}.tar.xz
-            /tmp/artifacts/fish-${{ github.ref_name }}-linux-*.tar.xz
+            /tmp/artifacts/fish-${{ inputs.version }}.tar.xz
+            /tmp/artifacts/fish-${{ inputs.version }}-linux-*.tar.xz
 
   packages-for-macos:
     needs: [is-release-tag, create-draft-release]
@@ -167,7 +169,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
       - name: Install Rust
         uses: ./.github/actions/rust-toolchain@oldest-supported
         with:
diff --git a/build_tools/release.sh b/build_tools/release.sh
index 9f9dd7a64..81f28b953 100755
--- a/build_tools/release.sh
+++ b/build_tools/release.sh
@@ -54,6 +54,9 @@ integration_branch=$(
 [ -n "$integration_branch" ] ||
     git merge-base --is-ancestor $remote/master HEAD
 
+release_flow=.github/workflows/release.yml
+git diff --exit-code -- :/$release_flow $remote/master:$release_flow
+
 sed -n 1p CHANGELOG.rst | grep -q '^fish .*(released .*)$'
 sed -n 2p CHANGELOG.rst | grep -q '^===*$'
 
@@ -83,6 +86,8 @@ gh() {
     command gh --repo "$repository_owner/fish-shell" "$@"
 }
 
+gh workflow run release.yml --raw-field "version=$version"
+
 run_id=
 while [ -z "$run_id" ] && sleep 5
 do