From d6940989f026b5137dad70b12c5a9294e4241f7c Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Wed, 1 Apr 2026 14:00:05 -0500
Subject: [PATCH] Add a "release-gate" step to the release workflow

---
 .github/workflows/publish-crates.yml |  1 -
 .github/workflows/publish-mirror.yml |  1 -
 .github/workflows/publish-pypi.yml   |  2 --
 .github/workflows/release.yml        | 18 ++++++++++++++++--
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
index 11a6e2fb7f381..e6f3c4ad0ba29 100644
--- a/.github/workflows/publish-crates.yml
+++ b/.github/workflows/publish-crates.yml
@@ -17,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: release
-      deployment: false
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/publish-mirror.yml b/.github/workflows/publish-mirror.yml
index c5218da0585a5..e9dafab665d16 100644
--- a/.github/workflows/publish-mirror.yml
+++ b/.github/workflows/publish-mirror.yml
@@ -17,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: release
-      deployment: false
     env:
       VERSION: ${{ fromJson(inputs.plan).announcement_tag }}
     steps:
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index ecd033228a9bc..30b0f2db8f06d 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -17,7 +17,6 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: release
-      deployment: false
     permissions:
       id-token: write # For PyPI's trusted publishing
     steps:
@@ -36,7 +35,6 @@ jobs:
     runs-on: ubuntu-latest
     environment:
       name: release
-      deployment: false
     permissions:
       id-token: write # For PyPI's trusted publishing
     steps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eeff69753ce83..7ae8b3e153c4c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -52,6 +52,16 @@ env:
   CARGO_DIST_CHECKSUM: "cd355dab0b4c02fb59038fef87655550021d07f45f1d82f947a34ef98560abb8"
 
 jobs:
+  release-gate:
+    name: release-gate
+    if: ${{ inputs.tag != 'dry-run' }}
+    runs-on: ubuntu-latest
+    environment:
+      name: release-gate
+      deployment: false
+    steps:
+      - run: echo "Release approved"
+
   # Run 'dist plan' (or host) to determine what tasks we need to do
   plan:
     runs-on: "depot-ubuntu-latest-4"
@@ -108,7 +118,8 @@ jobs:
   custom-build-docker:
     needs:
       - plan
-    if: ${{ needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload' || inputs.tag == 'dry-run' }}
+      - release-gate
+    if: ${{ always() && needs.plan.result == 'success' && (needs.release-gate.result == 'success' || needs.release-gate.result == 'skipped') && (needs.plan.outputs.publishing == 'true' || fromJson(needs.plan.outputs.val).ci.github.pr_run_mode == 'upload' || inputs.tag == 'dry-run') }}
     uses: ./.github/workflows/build-docker.yml
     with:
       plan: ${{ needs.plan.outputs.val }}
@@ -256,6 +267,7 @@ jobs:
     needs:
       - plan
       - host
+      - release-gate
     if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
     uses: ./.github/workflows/publish-pypi.yml
     with:
@@ -270,6 +282,7 @@ jobs:
     needs:
       - plan
       - host
+      - release-gate
       - custom-publish-pypi # DIRTY: see #16989
     if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
     uses: ./.github/workflows/publish-crates.yml
@@ -286,12 +299,13 @@ jobs:
     needs:
       - plan
       - host
+      - release-gate
       - custom-publish-pypi
       - custom-publish-crates
     # use "always() && ..." to allow us to wait for all publish jobs while
     # still allowing individual publish jobs to skip themselves (for prereleases).
     # "host" however must run to completion, no skipping allowed!
-    if: ${{ always() && needs.host.result == 'success' && (needs.custom-publish-pypi.result == 'skipped' || needs.custom-publish-pypi.result == 'success') && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') }}
+    if: ${{ always() && needs.host.result == 'success' && needs.release-gate.result == 'success' && (needs.custom-publish-pypi.result == 'skipped' || needs.custom-publish-pypi.result == 'success') && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') }}
     runs-on: "depot-ubuntu-latest-4"
     environment:
       name: release