From 748f7c53d844a376db1b64894b17247daa295c23 Mon Sep 17 00:00:00 2001
From: Idleness76 <james.barris@gmail.com>
Date: Sat, 7 Mar 2026 11:05:02 -0500
Subject: [PATCH] adjust release workflow after sekrit refresh

---
 .github/workflows/release.yml | 47 ++++++++++++++++++++++++++---------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aab7a5d..333a415 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,6 +21,7 @@ jobs:
     name: Release weavegraph
     runs-on: ubuntu-latest
     permissions:
+      actions: read
       contents: write
     steps:
       - name: Checkout repository
@@ -28,6 +29,38 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Ensure release runs from main
+        if: ${{ !inputs.dry_run }}
+        run: |
+          if [ "${{ github.ref }}" != "refs/heads/main" ]; then
+            echo "Error: Releases must be run from main"
+            echo "Current ref: ${{ github.ref }}"
+            exit 1
+          fi
+
+      - name: Ensure main commit has green CI
+        if: ${{ !inputs.dry_run }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RESPONSE=$(curl -fsSL \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/workflows/ci.yml/runs?branch=main&event=push&status=success&per_page=1")
+
+          LATEST_GREEN_SHA=$(echo "$RESPONSE" | jq -r '.workflow_runs[0].head_sha // empty')
+          if [ -z "$LATEST_GREEN_SHA" ]; then
+            echo "Error: No successful ci.yml run found on main"
+            exit 1
+          fi
+
+          if [ "$LATEST_GREEN_SHA" != "${{ github.sha }}" ]; then
+            echo "Error: Current commit does not match latest green ci.yml run on main"
+            echo "Current SHA: ${{ github.sha }}"
+            echo "Latest green CI SHA: $LATEST_GREEN_SHA"
+            exit 1
+          fi
+
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -38,11 +71,6 @@ jobs:
         with:
           toolchain: nightly
 
-      - name: Install CI parity tools
-        uses: taiki-e/install-action@v2
-        with:
-          tool: cargo-semver-checks,cargo-deny
-
       - name: Validate version format
         run: |
           if ! [[ "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -67,14 +95,9 @@ jobs:
             exit 1
           fi
 
-      - name: Run full CI checks
+      - name: Run docs check
         run: |
-          cargo fmt --all -- --check
-          cargo clippy --workspace --all-targets --all-features -- -D warnings
-          cargo test --lib --all-features
           RUSTDOCFLAGS='--cfg docsrs -D warnings' cargo +nightly doc --workspace --all-features --no-deps
-          cargo semver-checks check-release --workspace
-          cargo deny check
 
       - name: Dry run cargo publish
         run: cargo publish --dry-run
@@ -90,7 +113,7 @@ jobs:
       - name: Publish to crates.io
         if: ${{ !inputs.dry_run }}
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_WEAVEGRAPH }}
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
         run: cargo publish
 
       - name: Create GitHub release