ci(release): allow publish flow on hotfix branches

[dev-jodee]

Summary

• allow just release on main and hotfix/*
• allow Rust and TypeScript publish workflows from hotfix/*
• allow Docker publish workflow_run and manual dispatch from hotfix/*
• update hotfix release guidance in justfile

Test Plan

• just --summary
• git diff --check
• validate branch guards in publish workflows

---

📊 Unit Test Coverage

Unit Test Coverage: 84.0%

View Detailed Coverage Report

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.1%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[greptile-apps]

Greptile Summary

This PR extends the release publishing pipeline to support hotfix/* branches in addition to main, enabling urgent patch releases to be cut and published directly from a hotfix branch without first merging to main.\n\nChanges:\n- rust-publish.yml and typescript-publish.yml: Branch guards updated from a simple main-only if check to a case statement accepting refs/heads/main and refs/heads/hotfix/*.\n- docker-publish.yml: Same guard update for both workflow_dispatch and workflow_run trigger paths; workflow_run.branches filter extended with hotfix/**.\n- justfile: release recipe branch check updated to match; hotfix Next steps guidance reordered to publish before merging back to main.\n\nThe implementation is clean and consistent across all three publish workflows. Two minor issues are present: a wildcard mismatch (hotfix/** vs hotfix/*) between the workflow_run trigger filter and the runtime guard in docker-publish.yml, and the release recipe's "Next steps" echo still only describes the main-first merge flow.

Confidence Score: 5/5

Safe to merge — all publish guards are correctly updated; remaining findings are minor style/consistency issues that do not affect security or correctness for standard single-level hotfix branch names.

Both P2 findings (wildcard inconsistency in the trigger filter and a slightly misleading echo message) are cosmetic in practice: the hotfix recipe always produces single-level hotfix/ branches so the hotfix/** vs hotfix/* mismatch will never be hit in normal usage, and the echo message is non-functional. No P0/P1 issues found.

.github/workflows/docker-publish.yml — review the hotfix/** trigger filter vs hotfix/* guard inconsistency.

Important Files Changed

Filename	Overview
.github/workflows/docker-publish.yml	Adds hotfix/* to workflow_run branches filter and updates guard to use case statements; minor inconsistency between hotfix/** trigger pattern and hotfix/* guard pattern.
.github/workflows/rust-publish.yml	Branch guard correctly updated from main-only if-check to case statement covering refs/heads/main and refs/heads/hotfix/*.
.github/workflows/typescript-publish.yml	Branch guard correctly updated from main-only if-check to case statement covering refs/heads/main and refs/heads/hotfix/*.
justfile	release recipe now accepts main or hotfix/* branches; hotfix next-steps guidance updated to reflect new publish-before-merge flow; "Next steps" in release recipe still describes main-only flow.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Developer on hotfix/* branch] --> B[just release]
    B --> C{Branch guard in justfile}
    C -- main or hotfix/* --> D[Bump version, update CHANGELOG]
    C -- other --> E[❌ Exit with error]
    D --> F[git push origin HEAD]
    F --> G[Manually dispatch Publish Rust Crates]
    G --> H{rust-publish guard refs/heads/main or refs/heads/hotfix/*}
    H -- allowed --> I[Publish to crates.io, Create GitHub Release, Push git tags]
    H -- other --> J[❌ Exit with error]
    I --> K[workflow_run triggers docker-publish on main or hotfix/**]
    K --> L{docker-publish guard main or hotfix/*}
    L -- allowed --> M[Build & Push Docker image, Update GitHub Release]
    L -- other --> N[❌ Exit with error]
    F --> O[Manually dispatch Publish TypeScript SDK]
    O --> P{typescript guard refs/heads/main or refs/heads/hotfix/*}
    P -- allowed --> Q[Publish to npm, Create GitHub Release]
    P -- other --> R[❌ Exit with error]
    M --> S[Merge hotfix branch back to main]
    Q --> S

Loading

Comments Outside Diff (1)

1. justfile, line 287-289 (link)

   "Next steps" message misleading for hotfix branches

   The release recipe is now valid on both main and hotfix/* branches, but its "Next steps" echo block still only describes the main flow (create PR → merge → trigger publish). For a hotfix branch, the correct order from the updated hotfix recipe is: trigger publish workflows first, then merge to main (steps 3 and 4 in the hotfix guidance).

   Consider differentiating the message by branch, or at least noting that hotfix branches should trigger publish before merging:

_{Reviews (1): Last reviewed commit: "ci(release): allow publish flow on hotfi..." | Re-trigger Greptile}