Skip to content

[Workflows] Command-gate Release (workflow_dispatch/workflow_call) + harden permissions #70

New issue
New issue
Open
Automation
Open
[Workflows] Command-gate Release (workflow_dispatch/workflow_call) + harden permissions#70
Automation
@ashleyshaw

Description

@ashleyshaw
ashleyshaw
opened on Nov 12, 2025

Title: [Workflows] Command-gate Release (workflow_dispatch/workflow_call) + harden permissions
Labels: area:workflows, v0.2.0, release
Summary: Ensure release only runs on demand, with typed inputs, least-privileged permissions, and dry-run/rollback.
Acceptance Criteria:

.github/workflows/release.yml uses workflow_dispatch and/or workflow_call with inputs (version, notes_from).

Explicit permissions: scoped to what tagging requires; default read-all elsewhere.

Changelog assembled from PR + develop commits.

Dry-run path outputs artifacts; rollback notes documented.
Impact/Risk: Prevents accidental tags and incomplete releases.
Dependencies/Links: Part-1 audit; G11.
Owner: Workflows
Telemetry: Count unauthorized trigger attempts (should be 0).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Automation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions