From ec29340b64ddd34af9e984f2fe8bca214fd9229a Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Sun, 19 Apr 2026 12:37:46 +0200
Subject: [PATCH 1/9] Add tag input to release-build workflow_dispatch

Allows manually dispatching a release build for a specific tag, producing
versioned binaries (not snapshot) for that tag.

Co-authored-by: Isaac
---
 .github/workflows/release-build.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 35f4b77b7e..aa4d88ac07 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -10,6 +10,11 @@ on:
       - "bugbash-*"
 
   workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to build (e.g. v1.2.3). Leave empty for a snapshot build of the current ref."
+        type: string
+        required: false
 
 jobs:
   cli:
@@ -30,6 +35,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+          ref: ${{ inputs.tag || github.ref }}
 
       - name: Setup JFrog
         uses: ./.github/actions/setup-jfrog
@@ -78,7 +84,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: v2.14.3
-          args: release --skip=publish ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
+          args: release --skip=publish ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
 
       - name: Verify Windows binary signatures
         run: |
@@ -114,6 +120,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+          ref: ${{ inputs.tag || github.ref }}
 
       - name: Setup JFrog
         uses: ./.github/actions/setup-jfrog

From 01e4e795fa2c6ea3825821e7ce8557cdfd780493 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Sun, 19 Apr 2026 12:48:45 +0200
Subject: [PATCH 2/9] Check out workflow ref for local composite actions

When building an older tag, the worktree's .github/actions may predate
actions required by this workflow (e.g. setup-jfrog). Check out the
workflow's own SHA into .workflow-actions and reference local actions
from there.

Co-authored-by: Isaac
---
 .github/workflows/release-build.yml | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index aa4d88ac07..815eb73740 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -37,8 +37,18 @@ jobs:
           fetch-tags: true
           ref: ${{ inputs.tag || github.ref }}
 
+      # Check out the workflow's own ref into a side directory so local
+      # composite actions (e.g. setup-jfrog) are available even when the
+      # built ref is an older tag that predates them.
+      - name: Checkout workflow ref for local actions
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.sha }}
+          path: .workflow-actions
+          sparse-checkout: .github
+
       - name: Setup JFrog
-        uses: ./.github/actions/setup-jfrog
+        uses: ./.workflow-actions/.github/actions/setup-jfrog
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -122,8 +132,18 @@ jobs:
           fetch-tags: true
           ref: ${{ inputs.tag || github.ref }}
 
+      # Check out the workflow's own ref into a side directory so local
+      # composite actions (e.g. setup-jfrog) are available even when the
+      # built ref is an older tag that predates them.
+      - name: Checkout workflow ref for local actions
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.sha }}
+          path: .workflow-actions
+          sparse-checkout: .github
+
       - name: Setup JFrog
-        uses: ./.github/actions/setup-jfrog
+        uses: ./.workflow-actions/.github/actions/setup-jfrog
 
       - name: Install uv
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0

From dbdc33c214dc25e3f78b798822260e35e3b6e839 Mon Sep 17 00:00:00 2001
From: Pieter Noordhuis <pieter.noordhuis@databricks.com>
Date: Sun, 19 Apr 2026 05:10:13 -0700
Subject: [PATCH 3/9] Update GoReleaser args to skip Docker

---
 .github/workflows/release-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 815eb73740..fbe871fa0e 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -94,7 +94,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: v2.14.3
-          args: release --skip=publish ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
+          args: release --skip=publish --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
 
       - name: Verify Windows binary signatures
         run: |

From 1719115b3016877b8ea1ee04487b404511741861 Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 14:37:25 +0200
Subject: [PATCH 4/9] use always latest goreleaser

---
 .github/workflows/release-build.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index fbe871fa0e..99022b5692 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -38,14 +38,16 @@ jobs:
           ref: ${{ inputs.tag || github.ref }}
 
       # Check out the workflow's own ref into a side directory so local
-      # composite actions (e.g. setup-jfrog) are available even when the
-      # built ref is an older tag that predates them.
+      # composite actions (e.g. setup-jfrog) and the goreleaser config are
+      # available even when the built ref is an older tag that predates them.
       - name: Checkout workflow ref for local actions
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.sha }}
           path: .workflow-actions
-          sparse-checkout: .github
+          sparse-checkout: |
+            .github
+            .goreleaser.yaml
 
       - name: Setup JFrog
         uses: ./.workflow-actions/.github/actions/setup-jfrog
@@ -94,7 +96,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: v2.14.3
-          args: release --skip=publish --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
+          args: release --skip=publish --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
 
       - name: Verify Windows binary signatures
         run: |
@@ -133,14 +135,16 @@ jobs:
           ref: ${{ inputs.tag || github.ref }}
 
       # Check out the workflow's own ref into a side directory so local
-      # composite actions (e.g. setup-jfrog) are available even when the
-      # built ref is an older tag that predates them.
+      # composite actions (e.g. setup-jfrog) and the goreleaser config are
+      # available even when the built ref is an older tag that predates them.
       - name: Checkout workflow ref for local actions
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.sha }}
           path: .workflow-actions
-          sparse-checkout: .github
+          sparse-checkout: |
+            .github
+            .goreleaser.yaml
 
       - name: Setup JFrog
         uses: ./.workflow-actions/.github/actions/setup-jfrog

From 1510c044a6d00ecf70188b626266bb6ff4b1fbf1 Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 14:52:12 +0200
Subject: [PATCH 5/9] fix post hook signing

---
 .github/workflows/release-build.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 99022b5692..a5af604381 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -91,6 +91,13 @@ jobs:
       - name: Hide snapshot tag to outsmart GoReleaser
         run: git tag -d snapshot || true
 
+      # Overlay scripts from the workflow ref so goreleaser hooks resolve
+      # correctly even when building an older tag that predates them.
+      - name: Sync workflow scripts to working directory
+        run: |
+          mkdir -p .github/scripts
+          cp -r .workflow-actions/.github/scripts/. .github/scripts/
+
       # Use --snapshot for branch builds (non-tag refs).
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0

From 38860afa7d50e5219aa6e7361763690bd4e94fb9 Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 15:07:26 +0200
Subject: [PATCH 6/9] add publish checkbox

---
 .github/workflows/release-build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index a5af604381..e9fcca8669 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -15,6 +15,10 @@ on:
         description: "Tag to build (e.g. v1.2.3). Leave empty for a snapshot build of the current ref."
         type: string
         required: false
+      publish:
+        description: "Publish release artifacts to the GitHub release."
+        type: boolean
+        default: false
 
 jobs:
   cli:
@@ -103,7 +107,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: v2.14.3
-          args: release --skip=publish --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
+          args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
 
       - name: Verify Windows binary signatures
         run: |

From 3ab4fec628a63fae6c31aa88aa9fb440d82b0395 Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 15:13:52 +0200
Subject: [PATCH 7/9] fix snapshot condition

---
 .github/workflows/release-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index e9fcca8669..dd91b98cf8 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -107,7 +107,7 @@ jobs:
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: v2.14.3
-          args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (startsWith(github.ref, 'refs/tags/') || inputs.tag) && '' || '--snapshot' }}
+          args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (!startsWith(github.ref, 'refs/tags/') && !inputs.tag) && '--snapshot' || '' }}
 
       - name: Verify Windows binary signatures
         run: |

From 6984fba960e23f49322538d23ee544c9b0444c57 Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 15:19:09 +0200
Subject: [PATCH 8/9] add permissions + GH token

---
 .github/workflows/release-build.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index dd91b98cf8..62f8b7e233 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -31,7 +31,7 @@ jobs:
 
     permissions:
       id-token: write
-      contents: read
+      contents: write
 
     steps:
       - name: Checkout repository
@@ -108,6 +108,8 @@ jobs:
         with:
           version: v2.14.3
           args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (!startsWith(github.ref, 'refs/tags/') && !inputs.tag) && '--snapshot' || '' }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
 
       - name: Verify Windows binary signatures
         run: |
@@ -135,7 +137,7 @@ jobs:
 
     permissions:
       id-token: write
-      contents: read
+      contents: write
 
     steps:
       - name: Checkout repository

From 1c28ed67f394e1ac809d7c23c959616ce891213b Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Sun, 19 Apr 2026 15:22:00 +0200
Subject: [PATCH 9/9] make tree clean

---
 .github/workflows/release-build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 62f8b7e233..1a7726b643 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -97,10 +97,13 @@ jobs:
 
       # Overlay scripts from the workflow ref so goreleaser hooks resolve
       # correctly even when building an older tag that predates them.
+      # Register both injected paths in .git/info/exclude so goreleaser's
+      # dirty-state check does not flag them as untracked files.
       - name: Sync workflow scripts to working directory
         run: |
           mkdir -p .github/scripts
           cp -r .workflow-actions/.github/scripts/. .github/scripts/
+          printf '.workflow-actions/\n.github/scripts/\n' >> .git/info/exclude
 
       # Use --snapshot for branch builds (non-tag refs).
       - name: Run GoReleaser