ci(release): allow publish flow on hotfix branches

.github/workflows/docker-publish.yml

@@ -14,6 +14,7 @@ on:
       - completed
     branches:
       - main
+      - hotfix/*
 
 permissions:
   contents: write
@@ -39,13 +40,23 @@ jobs:
           CURRENT_REF: ${{ github.ref }}
           HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
         run: |
-          if [ "$EVENT_NAME" = "workflow_dispatch" ] && [ "$CURRENT_REF" != "refs/heads/main" ]; then
-            echo "::error::Publish Docker Image must be dispatched from main. Current ref: $CURRENT_REF"
-            exit 1
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            case "$CURRENT_REF" in
+              refs/heads/main|refs/heads/hotfix/*) ;;
+              *)
+                echo "::error::Publish Docker Image must be dispatched from main or hotfix/*. Current ref: $CURRENT_REF"
+                exit 1
+                ;;
+            esac
           fi
-          if [ "$EVENT_NAME" = "workflow_run" ] && [ "$HEAD_BRANCH" != "main" ]; then
-            echo "::error::Publish Docker Image via workflow_run is only allowed from main. Source branch: $HEAD_BRANCH"
-            exit 1
+          if [ "$EVENT_NAME" = "workflow_run" ]; then
+            case "$HEAD_BRANCH" in
+              main|hotfix/*) ;;
+              *)
+                echo "::error::Publish Docker Image via workflow_run is only allowed from main or hotfix/*. Source branch: $HEAD_BRANCH"
+                exit 1
+                ;;
+            esac
           fi
 
       - uses: actions/checkout@v4

.github/workflows/rust-publish.yml

@@ -34,12 +34,15 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - name: Guard main branch for release publish
+      - name: Guard allowed source branch for release publish
         run: |
-          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
-            echo "::error::Publish Rust Crates must be run from main. Current ref: ${{ github.ref }}"
-            exit 1
-          fi
+          case "${{ github.ref }}" in
+            refs/heads/main|refs/heads/hotfix/*) ;;
+            *)
+              echo "::error::Publish Rust Crates must be run from main or hotfix/*. Current ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
 
       - uses: actions/checkout@v4
         with:

.github/workflows/typescript-publish.yml

@@ -26,15 +26,18 @@ concurrency:
 
 jobs:
   guard-main:
-    name: Guard main branch for publish
+    name: Guard allowed source branch for publish
     runs-on: ubuntu-latest
     steps:
-      - name: Fail if workflow_dispatch is not on main
+      - name: Fail if workflow_dispatch is not on an allowed branch
         run: |
-          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
-            echo "::error::Publish TypeScript SDK must be run from main. Current ref: ${{ github.ref }}"
-            exit 1
-          fi
+          case "${{ github.ref }}" in
+            refs/heads/main|refs/heads/hotfix/*) ;;
+            *)
+              echo "::error::Publish TypeScript SDK must be run from main or hotfix/*. Current ref: ${{ github.ref }}"
+              exit 1
+              ;;
+          esac
 
   # Run tests before publishing
   typescript-integration:

justfile

@@ -227,10 +227,11 @@ branch-info:
     @echo ""
     @echo "Releasing:"
     @echo "  Stable/Beta/RC: checkout main, run 'just release'"
+    @echo "  Hotfix patch: run 'just release' from hotfix/*"
     @echo "  Pre-release versions use semver suffixes (e.g. 2.3.0-beta.1)"
     @echo "  Hotfix: run 'just hotfix' from deployed stable tag"
 
-# Prepare a new release (run from main; use semver pre-release suffixes for beta/rc)
+# Prepare a new release (run from main or hotfix/*; use semver pre-release suffixes for beta/rc)
 [group('release')]
 [confirm('Start release process?')]
 release:
@@ -243,10 +244,13 @@ release:
     fi
 
     current_branch=$(git rev-parse --abbrev-ref HEAD)
-    if [ "$current_branch" != "main" ]; then
-        echo "Error: Releases must be prepared from main (current branch: $current_branch)"
-        exit 1
-    fi
+    case "$current_branch" in
+        main|hotfix/*) ;;
+        *)
+            echo "Error: Releases must be prepared from main or hotfix/* (current branch: $current_branch)"
+            exit 1
+            ;;
+    esac
 
     command -v cargo-set-version &>/dev/null || { echo "Install cargo-edit: cargo install cargo-edit"; exit 1; }
     command -v git-cliff &>/dev/null || { echo "Install git-cliff: cargo install git-cliff"; exit 1; }
@@ -282,7 +286,13 @@ release:
     echo "Ready! Next steps:"
     echo "  git commit -m 'chore: release v$version'"
     echo "  git push origin HEAD"
-    echo "  Create PR → merge → trigger 'Publish Rust Crates' workflow"
+    if [[ "$current_branch" == hotfix/* ]]; then
+        echo "  Trigger 'Publish Rust Crates' workflow from this hotfix branch"
+        echo "  Trigger 'Publish TypeScript SDK' workflow from this hotfix branch (if needed)"
+        echo "  Then merge hotfix back to main"
+    else
+        echo "  Create PR → merge → trigger 'Publish Rust Crates' workflow"
+    fi
 
 # Start a hotfix branch from a deployed stable tag
 [group('release')]
@@ -352,8 +362,9 @@ hotfix name='' base_tag='':
     echo ""
     echo "Next steps:"
     echo "  1. Apply your hotfix commits"
-    echo "  2. Push and create PR to main"
-    echo "  3. After merge, run 'just release' on main to publish"
+    echo "  2. Run 'just release' on this hotfix branch"
+    echo "  3. Trigger publish workflows from this hotfix branch"
+    echo "  4. Push and merge hotfix back to main"
 
 # Prepare a new TypeScript SDK release
 [group('release')]