From 8a31a06a5b895cbe6545808bd27bb77ae052c4af Mon Sep 17 00:00:00 2001
From: Axel Niklasson Yun <axel@linear.app>
Date: Tue, 19 May 2026 08:51:53 +0200
Subject: [PATCH 1/3] Onboard to Linear release management

Adds a reusable run-linear-release.yml workflow (sync/complete jobs
dogfooding linear/linear-release-action@v0), syncs the open release on
every main push via ci.yml, and labels + completes the release from
release.yml when a tag ships.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml                 | 10 +++
 .github/workflows/release.yml            | 30 +++++++++
 .github/workflows/run-linear-release.yml | 78 ++++++++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 .github/workflows/run-linear-release.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 45400ce..b55a6ca 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,3 +44,13 @@ jobs:
         env:
           CLI_VERSION: latest
           RUNNER_OS: ${{ runner.os }}
+
+  sync-release:
+    name: Sync release management
+    needs: [lint, test-install]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: ./.github/workflows/run-linear-release.yml
+    with:
+      action: sync
+    secrets:
+      LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8476869..abf0cc0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    outputs:
+      tag: ${{ steps.vars.outputs.tag }}
+      version: ${{ steps.vars.outputs.version }}
     steps:
       - name: Checkout tag
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -35,6 +38,7 @@ jobs:
 
           MAJOR="${VERSION%%.*}"
           echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "major=v$MAJOR" >> "$GITHUB_OUTPUT"
 
       - name: Move floating major tag forward
@@ -59,3 +63,29 @@ jobs:
           gh release create "${TAG}" \
             --title "${TAG}" \
             --generate-notes
+
+  label-release:
+    name: Label release with version
+    needs: release
+    permissions:
+      contents: read
+    uses: ./.github/workflows/run-linear-release.yml
+    with:
+      action: sync
+      name: Release ${{ needs.release.outputs.version }}
+      version: ${{ needs.release.outputs.tag }}
+    secrets:
+      LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
+
+  complete-release:
+    name: Complete release
+    needs: [release, label-release]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/run-linear-release.yml
+    with:
+      action: complete
+      name: Release ${{ needs.release.outputs.version }}
+      version: ${{ needs.release.outputs.tag }}
+    secrets:
+      LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
diff --git a/.github/workflows/run-linear-release.yml b/.github/workflows/run-linear-release.yml
new file mode 100644
index 0000000..89e7427
--- /dev/null
+++ b/.github/workflows/run-linear-release.yml
@@ -0,0 +1,78 @@
+name: Run Linear Release
+
+on:
+  workflow_call:
+    inputs:
+      action:
+        description: "Action to perform"
+        required: true
+        type: string
+      name:
+        description: "Release name"
+        required: false
+        type: string
+      version:
+        description: "Release version"
+        required: false
+        type: string
+    secrets:
+      LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY:
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      action:
+        description: "Action"
+        required: true
+        type: choice
+        options:
+          - sync
+          - complete
+      name:
+        description: "Release name"
+        required: false
+        type: string
+      version:
+        description: "Release version"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  sync:
+    name: Sync issues to release
+    if: inputs.action == 'sync'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Sync issues
+        uses: linear/linear-release-action@v0
+        with:
+          access_key: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
+          command: sync
+          name: ${{ inputs.name }}
+          version: ${{ inputs.version }}
+
+  complete:
+    name: Complete release
+    if: inputs.action == 'complete'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Complete release
+        uses: linear/linear-release-action@v0
+        with:
+          access_key: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
+          command: complete
+          name: ${{ inputs.name }}
+          version: ${{ inputs.version }}

From 85844445b7c1d7f75a82cac448666727781da834 Mon Sep 17 00:00:00 2001
From: Axel Niklasson Yun <axel@linear.app>
Date: Tue, 19 May 2026 08:56:59 +0200
Subject: [PATCH 2/3] Suppress zizmor unpinned-uses for self-reference

linear/linear-release-action is this repo; pinning a SHA from itself
isn't meaningful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/run-linear-release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/run-linear-release.yml b/.github/workflows/run-linear-release.yml
index 89e7427..f23a345 100644
--- a/.github/workflows/run-linear-release.yml
+++ b/.github/workflows/run-linear-release.yml
@@ -52,7 +52,7 @@ jobs:
           persist-credentials: false
 
       - name: Sync issues
-        uses: linear/linear-release-action@v0
+        uses: linear/linear-release-action@v0 # zizmor: ignore[unpinned-uses] dogfooding this repo
         with:
           access_key: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
           command: sync
@@ -70,7 +70,7 @@ jobs:
           persist-credentials: false
 
       - name: Complete release
-        uses: linear/linear-release-action@v0
+        uses: linear/linear-release-action@v0 # zizmor: ignore[unpinned-uses] dogfooding this repo
         with:
           access_key: ${{ secrets.LINEAR_RELEASE_MANAGEMENT_ACCESS_KEY }}
           command: complete

From 2948b9cadd43c0cb7ea1b3d1c73f30cb5340e324 Mon Sep 17 00:00:00 2001
From: Axel Niklasson Yun <axel@linear.app>
Date: Tue, 19 May 2026 09:05:00 +0200
Subject: [PATCH 3/3] Grant contents:read to sync-release job

ci.yml uses permissions: {} at the workflow level, which caps the
reusable workflow's permissions to nothing and triggers a startup
failure. Setting contents:read on the job lets the called workflow
check out the repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b55a6ca..ff3b7dd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -49,6 +49,8 @@ jobs:
     name: Sync release management
     needs: [lint, test-install]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: read
     uses: ./.github/workflows/run-linear-release.yml
     with:
       action: sync