fix: address review findings for release workflow correctness

## What

Moved tag creation into create_release job, removed update_major_tag job
and its input, added GoReleaser config validation via yq to enforce
release.disable: true, fixed -f to -F for boolean in publish_release,
made go-version-file configurable, made upload globs resilient with
nullglob, consolidated discussion validation into a single input check,
and pinned release_image checkout to the tagged commit.

## Why

The draft-first pattern changed when git tags are created, but downstream
jobs hadn't been updated to account for that. Multiple review agents
independently identified race conditions, a silent publish failure, and
fragile assumptions that needed fixing before this is mergeable.

## Notes

- Removing the `update-major-tag` input is a breaking change for callers
  that explicitly set it — major tag is now always pushed in create_release
- The yq install adds a step to the GoReleaser job; mikefarah/yq action
  is SHA-pinned but is a new third-party dependency
- GoReleaser config validation only checks `release.disable` not
  `changelog.disable` — the latter is recommended but not enforced since
  it won't cause conflicts

Signed-off-by: jmeridth <jmeridth@gmail.com>

Author: jmeridth

.github/workflows/release.yaml

@@ -11,10 +11,6 @@ on:
       release-config-name:
         required: true
         type: string
-      update-major-tag:
-        required: false
-        type: boolean
-        default: true
       image-name:
         description: "Docker image name (e.g., owner/repo). Enables image build/push when set."
         required: false
@@ -45,6 +41,11 @@ on:
         required: false
         type: string
         default: ""
+      go-version-file:
+        description: "Path to go.mod or go.work file for Go version detection. Used by the GoReleaser job."
+        required: false
+        type: string
+        default: "go.mod"
     secrets:
       github-token:
         required: true
@@ -94,6 +95,11 @@ jobs:
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
           egress-policy: audit
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: true # Required for git push of tags
       - name: Draft release
         id: release-drafter
         uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
@@ -106,40 +112,19 @@ jobs:
         run: |
           short_tag=$(echo "${{ steps.release-drafter.outputs.tag_name }}" | cut -d. -f1)
           echo "SHORT_TAG=$short_tag" >> "$GITHUB_OUTPUT"
-
-  update_major_tag:
-    needs: create_release
-    if: ${{ inputs.update-major-tag && needs.create_release.outputs.full-tag != '' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # Force-push major version tag
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
-        with:
-          egress-policy: audit
-
-      - name: Checkout Repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          ref: ${{ needs.create_release.outputs.full-tag }}
-          persist-credentials: true # Required for git push
-
-      - name: Force update major tag
+      - name: Create and push tags
         run: |
-          git tag -f "${SHORT}" "${FULL}"
-          git push -f origin "${SHORT}"
-        env:
-          SHORT: ${{ needs.create_release.outputs.short-tag }}
-          FULL: ${{ needs.create_release.outputs.full-tag }}
+          git tag "${{ steps.release-drafter.outputs.tag_name }}"
+          git tag -f "${{ steps.get_tag_name.outputs.SHORT_TAG }}" "${{ steps.release-drafter.outputs.tag_name }}"
+          git push origin "${{ steps.release-drafter.outputs.tag_name }}"
+          git push -f origin "${{ steps.get_tag_name.outputs.SHORT_TAG }}"
 
   release_goreleaser:
     needs: create_release
     if: ${{ inputs.goreleaser-config-path != '' && needs.create_release.outputs.full-tag != '' }}
     runs-on: ubuntu-latest
     permissions:
-      contents: write # Upload release assets and push tags
+      contents: write # Upload release assets
       id-token: write # Federate for artifact attestation
       attestations: write # Generate artifact attestations
     steps:
@@ -152,17 +137,30 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          persist-credentials: true # Required for git push of tags
+          persist-credentials: false
+
+      - name: Install yq
+        uses: mikefarah/yq@f71c26247e2b5278a5e07e662b2c6e3a1a72e67e # v4.45.4
+        with:
+          cmd: echo "yq installed"
 
-      - name: Create and push tag
+      - name: Validate GoReleaser config has release disabled
         run: |
-          git tag "${{ needs.create_release.outputs.full-tag }}"
-          git push origin "${{ needs.create_release.outputs.full-tag }}"
+          config="${{ inputs.goreleaser-config-path }}"
+          if ! [ -f "$config" ]; then
+            echo "::error::GoReleaser config file not found: $config"
+            exit 1
+          fi
+          release_disabled=$(yq '.release.disable' "$config")
+          if [ "$release_disabled" != "true" ]; then
+            echo "::error::GoReleaser config must have 'release: disable: true' to prevent conflicting with the draft release created by this workflow. See https://github.com/github-community-projects/ospo-reusable-workflows/blob/main/docs/release.md#goreleaser-configuration"
+            exit 1
+          fi
 
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version-file: go.mod
+          go-version-file: ${{ inputs.go-version-file }}
 
       - name: Build with GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
@@ -175,10 +173,14 @@ jobs:
 
       - name: Upload artifacts to draft release
         run: |
+          shopt -s nullglob
+          files=(dist/*.tar.gz dist/*.zip dist/checksums.txt)
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "::error::No artifacts found in dist/ to upload"
+            exit 1
+          fi
           gh release upload "${{ needs.create_release.outputs.full-tag }}" \
-            dist/*.tar.gz \
-            dist/*.zip \
-            dist/checksums.txt \
+            "${files[@]}" \
             --clobber
         env:
           GH_TOKEN: ${{ secrets.github-token }}
@@ -232,6 +234,7 @@ jobs:
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          ref: ${{ needs.create_release.outputs.full-tag }}
           persist-credentials: false
 
       - name: Set up Docker Buildx
@@ -298,20 +301,18 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Validate discussion repository ID
-        if: ${{ env.DISCUSSION_REPOSITORY_ID == '' }}
-        run: |
-          echo "::notice::discussion-repository-id secret is not set, skipping discussion creation"
-          exit 0
-
-      - name: Validate discussion category ID
-        if: ${{ env.DISCUSSION_CATEGORY_ID == '' }}
+      - name: Check discussion inputs
+        id: check-inputs
         run: |
-          echo "::notice::discussion-category-id secret is not set, skipping discussion creation"
-          exit 0
+          if [ -z "${DISCUSSION_REPOSITORY_ID}" ] || [ -z "${DISCUSSION_CATEGORY_ID}" ]; then
+            echo "::notice::discussion-repository-id and/or discussion-category-id secrets are not set, skipping discussion creation"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Create an Announcement Discussion for Release
-        if: ${{ env.DISCUSSION_REPOSITORY_ID != '' && env.DISCUSSION_CATEGORY_ID != '' }}
+        if: ${{ steps.check-inputs.outputs.skip == 'false' }}
         uses: abirismyname/create-discussion@c2b7c825241769dda523865ae444a879f6bbd0e0
         with:
           title: ${{ needs.create_release.outputs.full-tag }}
@@ -321,12 +322,11 @@ jobs:
           github-token: ${{ secrets.github-token }}
 
   publish_release:
-    needs: [create_release, update_major_tag, release_goreleaser, release_image, release_discussion]
+    needs: [create_release, release_goreleaser, release_image, release_discussion]
     if: >
       always() &&
       inputs.publish &&
       needs.create_release.result == 'success' &&
-      (needs.update_major_tag.result == 'success' || needs.update_major_tag.result == 'skipped') &&
       (needs.release_goreleaser.result == 'success' || needs.release_goreleaser.result == 'skipped') &&
       (needs.release_image.result == 'success' || needs.release_image.result == 'skipped') &&
       (needs.release_discussion.result == 'success' || needs.release_discussion.result == 'skipped')
@@ -344,6 +344,6 @@ jobs:
           gh api \
             --method PATCH \
             "/repos/${{ github.repository }}/releases/${{ needs.create_release.outputs.release-id }}" \
-            -f draft=false
+            -F draft=false
         env:
           GH_TOKEN: ${{ secrets.github-token }}

docs/release.md

@@ -20,13 +20,13 @@ Consolidated release workflow that creates a draft release, optionally builds ar
     # The name of the configuration file to use
     # from the release-drafter/release-drafter GitHub Action
     release-config-name: release-drafter.yml
-    # Boolean flag whether to update major tag to latest full semver tag, default is true
-    update-major-tag: true
 
     # --- Optional: GoReleaser build/upload ---
     # Setting goreleaser-config-path enables the GoReleaser job
     # Path to GoReleaser config file (e.g., .goreleaser.yaml)
     goreleaser-config-path: .goreleaser.yaml
+    # Path to go.mod or go.work file for Go version detection, default is go.mod
+    go-version-file: go.mod
 
     # --- Optional: Docker image build/push ---
     # Setting image-name enables the image build/push job
@@ -78,12 +78,25 @@ jobs:
 
 The workflow runs up to six jobs:
 
-1. **create_release** - Always runs. Creates a draft release via release-drafter.
-2. **update_major_tag** - Runs when `update-major-tag` is true. Force-updates the major version tag.
-3. **release_goreleaser** - Runs when `goreleaser-config-path` is set. Builds Go binaries, uploads artifacts to the draft release, and optionally creates attestations.
-4. **release_image** - Runs when `image-name` is set. Builds and pushes a multi-platform Docker image, and optionally creates attestations.
-5. **release_discussion** - Runs when both `discussion-category-id` and `discussion-repository-id` secrets are set. Creates a GitHub Discussions announcement.
-6. **publish_release** - Runs when `publish` is true and all preceding jobs succeed (or are skipped). Publishes the draft release.
+1. **create_release** - Always runs. Creates a draft release via release-drafter, then creates and pushes the full and major version git tags.
+2. **release_goreleaser** - Runs when `goreleaser-config-path` is set. Builds Go binaries, uploads artifacts to the draft release, and optionally creates attestations.
+3. **release_image** - Runs when `image-name` is set. Builds and pushes a multi-platform Docker image, and optionally creates attestations.
+4. **release_discussion** - Runs when both `discussion-category-id` and `discussion-repository-id` secrets are set. Creates a GitHub Discussions announcement.
+5. **publish_release** - Runs when `publish` is true and all preceding jobs succeed (or are skipped). Publishes the draft release.
+
+## GoReleaser Configuration
+
+When using the `goreleaser-config-path` input, your GoReleaser config **must** disable release and changelog management since this workflow handles both via release-drafter:
+
+```yaml
+release:
+  disable: true
+
+changelog:
+  disable: true
+```
+
+Without these settings, GoReleaser will attempt to create its own GitHub release, conflicting with the draft release created by release-drafter.
 
 ## Notes