ci(release): allow publish flow on hotfix branches

dev-jodee · dev-jodee · commit 171bfaaa876e · 2026-03-27T13:40:27.000-04:00
Permit release preparation and publish workflows from hotfix/* in addition to main, so tag-based hotfix branches can publish patch releases without merging back first.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -14,6 +14,7 @@ on:
       - completed
     branches:
       - main
+      - hotfix/**
 
 permissions:
   contents: write
@@ -39,13 +40,23 @@ jobs:
           CURRENT_REF: ${{ github.ref }}
           HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
-          if [ "$EVENT_NAME" = "workflow_dispatch" ] && [ "$CURRENT_REF" != "refs/heads/main" ]; then
-            echo "::error::Publish Docker Image must be dispatched from main. Current ref: $CURRENT_REF"
-            exit 1
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            case "$CURRENT_REF" in
+              refs/heads/main|refs/heads/hotfix/*) ;;
+              *)
+                echo "::error::Publish Docker Image must be dispatched from main or hotfix/*. Current ref: $CURRENT_REF"
+                exit 1
+                ;;
+            esac
           fi
-          if [ "$EVENT_NAME" = "workflow_run" ] && [ "$HEAD_BRANCH" != "main" ]; then
-            echo "::error::Publish Docker Image via workflow_run is only allowed from main. Source branch: $HEAD_BRANCH"
-            exit 1
+          if [ "$EVENT_NAME" = "workflow_run" ]; then
+            case "$HEAD_BRANCH" in
+              main|hotfix/*) ;;
+              *)
+                echo "::error::Publish Docker Image via workflow_run is only allowed from main or hotfix/*. Source branch: $HEAD_BRANCH"
+                exit 1
+                ;;
+            esac
           fi
 
       - uses: actions/checkout@v4
diff --git a/.github/workflows/rust-publish.yml b/.github/workflows/rust-publish.yml
@@ -34,12 +34,15 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - name: Guard main branch for release publish
+      - name: Guard allowed source branch for release publish
         run: |
-          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
-            echo "::error::Publish Rust Crates must be run from main. Current ref: ${{ github.ref }}"
-            exit 1
-          fi
+          case "${{ github.ref }}" in
+            refs/heads/main|refs/heads/hotfix/*) ;;
+            *)
+              echo "::error::Publish Rust Crates must be run from main or hotfix/*. Current ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
 
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/typescript-publish.yml b/.github/workflows/typescript-publish.yml
@@ -26,15 +26,18 @@ concurrency:
 
 jobs:
   guard-main:
-    name: Guard main branch for publish
+    name: Guard allowed source branch for publish
     runs-on: ubuntu-latest
     steps:
-      - name: Fail if workflow_dispatch is not on main
+      - name: Fail if workflow_dispatch is not on an allowed branch
         run: |
-          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
-            echo "::error::Publish TypeScript SDK must be run from main. Current ref: ${{ github.ref }}"
-            exit 1
-          fi
+          case "${{ github.ref }}" in
+            refs/heads/main|refs/heads/hotfix/*) ;;
+            *)
+              echo "::error::Publish TypeScript SDK must be run from main or hotfix/*. Current ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
 
   # Run tests before publishing
   typescript-integration:
diff --git a/justfile b/justfile
@@ -227,10 +227,11 @@ branch-info:
     @echo ""
     @echo "Releasing:"
     @echo "  Stable/Beta/RC: checkout main, run 'just release'"
+    @echo "  Hotfix patch: run 'just release' from hotfix/*"
     @echo "  Pre-release versions use semver suffixes (e.g. 2.3.0-beta.1)"
     @echo "  Hotfix: run 'just hotfix' from deployed stable tag"
 
-# Prepare a new release (run from main; use semver pre-release suffixes for beta/rc)
+# Prepare a new release (run from main or hotfix/*; use semver pre-release suffixes for beta/rc)
 [group('release')]
 [confirm('Start release process?')]
 release:
@@ -243,10 +244,13 @@ release:
     fi
 
     current_branch=$(git rev-parse --abbrev-ref HEAD)
-    if [ "$current_branch" != "main" ]; then
-        echo "Error: Releases must be prepared from main (current branch: $current_branch)"
-        exit 1
-    fi
+    case "$current_branch" in
+        main|hotfix/*) ;;
+        *)
+            echo "Error: Releases must be prepared from main or hotfix/* (current branch: $current_branch)"
+            exit 1
+            ;;
+    esac
 
     command -v cargo-set-version &>/dev/null || { echo "Install cargo-edit: cargo install cargo-edit"; exit 1; }
     command -v git-cliff &>/dev/null || { echo "Install git-cliff: cargo install git-cliff"; exit 1; }
@@ -352,8 +356,9 @@ hotfix name='' base_tag='':
     echo ""
     echo "Next steps:"
     echo "  1. Apply your hotfix commits"
-    echo "  2. Push and create PR to main"
-    echo "  3. After merge, run 'just release' on main to publish"
+    echo "  2. Run 'just release' on this hotfix branch"
+    echo "  3. Trigger publish workflows from this hotfix branch"
+    echo "  4. Push and merge hotfix back to main"
 
 # Prepare a new TypeScript SDK release
 [group('release')]
