BUILD-11107 Switch release workflow to workflow_dispatch

[julien-carsique-sonarsource]

Summary

• Replace release:published event trigger with workflow_dispatch so the SBOM is generated and attached before the release is published, avoiding GitHub Release Immutability restrictions
• The workflow now creates the git tag at HEAD from the provided tag_name input
• Pass release-tag to SonarSource/gh-action_sbom so it can attach assets to a draft release even when GITHUB_REF is a branch ref
• The release is published at the end of the workflow via gh release edit --draft=false
• Pin actions/checkout references by commit SHA
• Document the new release flow in DEVELOPER.md, including the long-lived branch caveat

Release flow

workflow_dispatch(tag_name)
  → validate version format
  → create git tag at HEAD
  → gh-action_sbom auto-creates draft release, attaches SBOM
  → promote + push to Docker Hub
  → gh release edit --draft=false  (publish)

Branch to dispatch from

The git tag is now created at HEAD of the branch the workflow is dispatched from (previously, the tag was created externally and the workflow checked it out by ref). Choose the branch accordingly:

• Latest release: dispatch from master.
• Maintenance release on a long-lived branch (e.g. branch-4.8): dispatch from that branch-* branch, not from master. Dispatching from master would tag a commit that does not belong to the maintenance line.

Cherry-pick required to maintenance branches

Because the workflow file is checked out from the dispatched ref, this change must be cherry-picked to every active maintenance branch before a release can be cut from it. Currently active: branch-4.8. Without the cherry-pick, dispatching the release workflow from a maintenance branch will run the old release:published-triggered version, which fails on SBOM attachment due to GitHub Release Immutability.

Recovery from a failed release

The "Create and push release tag" step performs a pre-flight git ls-remote check and prints actionable cleanup instructions if the tag already exists (delete the remote tag, and delete any orphaned draft GitHub release before re-dispatching). See DEVELOPER.md for details.

References

• https://sonarsource.atlassian.net/browse/BUILD-11107
• Depends on BUILD-11107 Support GitHub Release Immutability gh-action_sbom#80

Test plan

• Dispatch the workflow with a valid tag name — verify the tag is created, SBOM is attached to the draft release, and the release is published at the end
• Dispatch with an invalid tag format — verify early exit with a clear error message
• Dispatch with a tag that already exists on origin — verify the pre-flight check fails with the cleanup instructions
• After merge, cherry-pick to branch-4.8 (and any other active maintenance branch) so maintenance releases can use the new flow

[hashicorp-vault-sonar-prod]

BUILD-11107

[sonar-review-alpha]

Summary

What changed: The release workflow now triggers on manual dispatch (workflow_dispatch) instead of GitHub release events. The workflow creates the git tag at HEAD from the provided tag_name input, creates a draft release with SBOM via gh-action_sbom, then publishes it at the end. This avoids GitHub's Release Immutability restrictions by attaching assets before publishing.

Why: Previous flow (tag → push → publish release) created published releases that cannot be modified. New flow creates draft releases first (allowing asset attachment), then publishes only after everything is attached.

What reviewers should know

Critical flow: The release is now a three-stage process: (1) validate tag format and create git tag, (2) generate SBOM and promote Docker image in draft release, (3) publish via gh release edit --draft=false. Reviewers should trace this end-to-end.

Key implementation details:

• Tag validation happens early via regex at Get the version step — escapes dots properly now (\. instead of .)
• Pre-flight check prevents re-running with same tag: checks if tag exists before creating, exits with recovery instructions
• release-tag parameter passed to gh-action_sbom is crucial — enables SBOM action to attach to draft release even when GITHUB_REF is a branch (depends on BUILD-11107 Support GitHub Release Immutability gh-action_sbom#80)
• actions/checkout pinned by commit SHA for determinism

Testing gaps to watch for: The recovery procedure (delete tag + delete draft release) is now essential if workflow fails mid-run. Verify the pre-flight check message is clear enough for operators, and that workflow logs explain what happened if tag creation fails.

Documentation: Added DEVELOPER.md section explaining the release process, branch selection (critical for maintenance releases on branch-* branches), and explicit recovery steps. Make sure this matches your internal release runbooks.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

🗣️ Give feedback