fix(release): harden publish artifact handoff

.github/actions/collect-ci-summary/action.yml

@@ -12,5 +12,5 @@ runs:
           echo
           echo "- Moon projects: \`moon query projects\`"
           echo "- Moon tasks: \`moon query tasks\`"
-          echo "- Release plan: \`tools/release/release.py plan --from-product-tags --head-ref HEAD\`"
+          echo "- Release plan: \`tools/release/release.py plan --from-product-tags --head-ref <release-ref>\`"
         } >> "$GITHUB_STEP_SUMMARY"

.github/scripts/download-wasix-runtime-build-artifacts.sh

@@ -2,13 +2,17 @@
 set -euo pipefail
 
 : "${GITHUB_TOKEN:?GITHUB_TOKEN is required}"
-: "${GITHUB_SHA:?GITHUB_SHA is required}"
+release_sha="${RELEASE_HEAD_SHA:-${GITHUB_SHA:-}}"
+if [[ -z "$release_sha" ]]; then
+  echo "RELEASE_HEAD_SHA or GITHUB_SHA is required" >&2
+  exit 2
+fi
 
-# Installs the portable and AOT WASIX runtime outputs from the selected same-SHA
+# Installs the portable and AOT WASIX runtime outputs from the selected release
 # CI workflow whose artifact builder gate passed. This is a release artifact
 # handoff, not a release-time runtime rebuild.
 if [[ -n "${CI_RUN_ID:-}" ]]; then
   cargo run -p xtask -- assets download --run-id "$CI_RUN_ID" --required-job Builds --all-targets
 else
-  cargo run -p xtask -- assets download --sha "$GITHUB_SHA" --required-job Builds --all-targets
+  cargo run -p xtask -- assets download --sha "$release_sha" --required-job Builds --all-targets
 fi

.github/scripts/resolve-release-head.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${GITHUB_SHA:?GITHUB_SHA is required}"
+: "${GITHUB_REF:?GITHUB_REF is required}"
+: "${GITHUB_RUN_ID:?GITHUB_RUN_ID is required}"
+: "${GITHUB_OUTPUT:?GITHUB_OUTPUT is required}"
+: "${GITHUB_ENV:?GITHUB_ENV is required}"
+
+input="${INPUT_RELEASE_COMMIT:-}"
+workflow_sha="$(git rev-parse "${GITHUB_SHA}^{commit}")"
+
+if [[ -z "$input" ]]; then
+  release_sha="$workflow_sha"
+else
+  if [[ ! "$input" =~ ^[0-9a-fA-F]{40}$ ]]; then
+    echo "release_commit must be a full 40-character commit SHA, got: $input" >&2
+    exit 2
+  fi
+  release_sha="$(git rev-parse "${input}^{commit}")"
+  release_sha_lower="$(printf '%s' "$release_sha" | tr '[:upper:]' '[:lower:]')"
+  input_lower="$(printf '%s' "$input" | tr '[:upper:]' '[:lower:]')"
+  if [[ "$release_sha_lower" != "$input_lower" ]]; then
+    echo "release_commit resolved to $release_sha, not $input" >&2
+    exit 2
+  fi
+fi
+
+if [[ "$GITHUB_REF" != "refs/heads/main" ]]; then
+  echo "Releases must be run from main; got $GITHUB_REF" >&2
+  exit 2
+fi
+
+uses_temporary_target_branch=false
+target_branch="main"
+if [[ "$release_sha" != "$workflow_sha" ]]; then
+  if ! git merge-base --is-ancestor "$release_sha" "$workflow_sha"; then
+    echo "release_commit $release_sha must be an ancestor of workflow commit $workflow_sha" >&2
+    exit 2
+  fi
+
+  disallowed=()
+  while IFS= read -r path; do
+    [[ -n "$path" ]] || continue
+    case "$path" in
+      .github/actions/*|.github/scripts/*|.github/workflows/*|tools/policy/*|tools/release/*|tools/xtask/*|docs/maintainers/release-setup.md)
+        ;;
+      *)
+        disallowed+=("$path")
+        ;;
+    esac
+  done < <(git diff --name-only "$release_sha" "$workflow_sha" --)
+
+  if [[ "${#disallowed[@]}" -gt 0 ]]; then
+    echo "release_commit can lag the workflow commit only across release-tooling changes." >&2
+    echo "These intervening paths are not release tooling:" >&2
+    printf '  %s\n' "${disallowed[@]}" >&2
+    exit 2
+  fi
+
+  uses_temporary_target_branch=true
+  target_branch="release-target/${release_sha:0:12}-${GITHUB_RUN_ID}"
+fi
+
+{
+  echo "sha=$release_sha"
+  echo "workflow_sha=$workflow_sha"
+  echo "target_branch=$target_branch"
+  echo "uses_temporary_target_branch=$uses_temporary_target_branch"
+} >> "$GITHUB_OUTPUT"
+echo "RELEASE_HEAD_SHA=$release_sha" >> "$GITHUB_ENV"
+
+echo "workflow commit: $workflow_sha"
+echo "release commit:  $release_sha"
+echo "release-please target branch: $target_branch"

docs/maintainers/release-setup.md

@@ -85,6 +85,21 @@ tools/release/release.py plan --from-product-tags --include-current-tags --head-
 tools/release/release.py check
 ```
 
+For normal releases, leave the `Release` workflow's `release_commit` input
+empty. If a publish or dry-run fails and a later `main` commit only fixes
+release tooling, rerun `Release` from current `main` with `release_commit` set
+to the full 40-character SHA that should be published. The workflow still runs
+the latest release scripts, but it plans the release, selects CI artifacts,
+checks product tags, and verifies publication against that selected release
+commit. During `publish`, the workflow creates a temporary release-please target
+branch at the selected commit so product tags and GitHub releases point at the
+published source commit, then removes that temporary branch.
+
+Do not use `release_commit` to skip CI for product source, version, changelog,
+or release metadata changes. The workflow rejects lagging release commits unless
+the intervening files are release tooling such as `.github/workflows/`,
+`.github/scripts/`, `tools/release/`, `tools/policy/`, or `tools/xtask/`.
+
 ## crates.io
 
 Products:

src/extensions/evidence/runs/2026-06-07-transitional-catalog-smoke.json

@@ -514,7 +514,7 @@
     }
   ],
   "schema": "oliphaunt-extension-evidence-v1",
-  "sourceDigest": "sha256:c836712ccd4a1f5d8c51092bd607e0e43d2968d76d8126cdb9252e9a84b1f610",
+  "sourceDigest": "sha256:27564e421f14e35ac3dc4ca476c4a8e5ab6d246608bdd0d5ffd185c5864fddb1",
   "sourceDigestInputs": [
     "src/postgres/versions/18/source.toml",
     "src/extensions/catalog/extensions.promoted.toml",