From a6e903a9e4e1246f3fdcc9448d07040beaa15af4 Mon Sep 17 00:00:00 2001
From: Rouzax <GitHub@mgdn.nl>
Date: Mon, 15 Jun 2026 19:27:14 +0200
Subject: [PATCH] ci: gate the release workflow on the lint and test matrix

release.yml now runs tests.yml (lint + 3.11/3.12/3.13 matrix) as a 'verify'
job and only builds, tags, and publishes if it passes, so a release can no
longer be cut from a red main. tests.yml gains a workflow_call trigger so it
is the single source of truth for both push/PR and release checks. The
contents: write permission is scoped to the release job (verify stays
read-only).
---
 .github/workflows/release.yml | 11 ++++++++---
 .github/workflows/tests.yml   |  1 +
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7b6f9d6..0904b93 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,12 +16,17 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: write
-
 jobs:
+  # Gate: run the full lint + test matrix on the release ref before building.
+  # Reuses tests.yml so the release checks and the push/PR checks stay identical.
+  verify:
+    uses: ./.github/workflows/tests.yml
+
   release:
+    needs: verify
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 51ac17e..ed957e8 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -5,6 +5,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  workflow_call: # lets release.yml run this as a pre-release gate
 
 permissions:
   contents: read