From cbb5ba4a25f35da607f7d2751474c6a9fa4d1acd Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:02:06 +0100
Subject: [PATCH 1/9] ci: secure release build with workflows run on main

---
 .github/workflows/release.yml | 55 ++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4318da64..5f8e4080 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,6 +23,7 @@ on:
 
 permissions:
   contents: write
+  actions: read
 
 jobs:
   release:
@@ -36,11 +37,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          # Always checkout the workflow ref (branch/tag selected in the UI or the pushed tag ref).
-          # Never treat the "tag" input as a git ref.
           ref: ${{ github.ref }}
 
       - name: Show PowerShell version
@@ -71,23 +70,52 @@ jobs:
         shell: pwsh
         run: |
           $tag = '${{ steps.tag.outputs.value }}'
-          # Stable tags: vMAJOR.MINOR.PATCH (e.g. v0.7.0)
           $isStable = $tag -match '^v\d+\.\d+\.\d+$'
-          # Pre-release tags: vMAJOR.MINOR.PATCH-<label> (e.g. v0.7.0-preview.1)
           $isPrerelease = $tag -match '^v\d+\.\d+\.\d+-[0-9A-Za-z][0-9A-Za-z\.\-]*$'
 
           "is_stable=$($isStable.ToString().ToLowerInvariant())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
           "is_prerelease=$($isPrerelease.ToString().ToLowerInvariant())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
 
+      - name: Require green CI on the target commit
+        if: ${{ inputs.publish_release == true || inputs.publish_psgallery == true || startsWith(github.ref, 'refs/tags/v') }}
+        shell: pwsh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          Set-StrictMode -Version Latest
+          $ErrorActionPreference = 'Stop'
+
+          $repo = '${{ github.repository }}'
+          $sha  = '${{ github.sha }}'
+
+          # NOTE: This must match the workflow filename for CI.
+          # In this repository it is: .github/workflows/ci.yml
+          $uri = "https://api.github.com/repos/$repo/actions/workflows/ci.yml/runs?per_page=5&head_sha=$sha"
+
+          $headers = @{
+            Authorization = "Bearer $env:GH_TOKEN"
+            Accept        = "application/vnd.github+json"
+            "X-GitHub-Api-Version" = "2022-11-28"
+          }
+
+          $resp = Invoke-RestMethod -Method Get -Uri $uri -Headers $headers
+          $run = $resp.workflow_runs | Sort-Object run_number -Descending | Select-Object -First 1
+
+          if (-not $run) {
+            throw "No CI workflow run found for SHA $sha. Ensure CI runs on main for this commit before releasing."
+          }
+
+          if ($run.status -ne 'completed' -or $run.conclusion -ne 'success') {
+            throw "CI is not green for SHA $sha. Status=$($run.status), Conclusion=$($run.conclusion)."
+          }
+
+          Write-Host "CI is green for SHA $sha (run #$($run.run_number))."
+
       - name: Validate tag version matches module manifest version(s)
         shell: pwsh
         run: |
           $tag = '${{ steps.tag.outputs.value }}'
 
-          # Accept stable tags and prerelease tags, but always extract the base version (MAJOR.MINOR.PATCH).
-          # Examples:
-          # - v0.7.0             -> 0.7.0
-          # - v0.7.0-preview.1   -> 0.7.0
           if ($tag -notmatch '^v(\d+\.\d+\.\d+)(?:-[0-9A-Za-z][0-9A-Za-z\.\-]*)?$') {
             Write-Host "Tag '$tag' is not SemVer-like. Skipping module version validation."
             exit 0
@@ -96,7 +124,6 @@ jobs:
           $expectedVersion = $Matches[1]
           Write-Host "Expected module version from tag: $expectedVersion"
 
-          # Strict mode (default): all shipped module manifests must match the tag version.
           $manifestPaths = @(
             'src/IdLE/IdLE.psd1',
             'src/IdLE.Core/IdLE.Core.psd1',
@@ -164,7 +191,7 @@ jobs:
 
       - name: Upload workflow artifact (expanded folder)
         if: ${{ inputs.publish_release != true && !startsWith(github.ref, 'refs/tags/v') }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: IdLE-${{ steps.tag.outputs.value }}-expanded
           path: artifacts/staging-${{ steps.tag.outputs.value }}
@@ -172,7 +199,7 @@ jobs:
 
       - name: Upload workflow artifact (zip)
         if: ${{ inputs.publish_release == true || startsWith(github.ref, 'refs/tags/v') }}
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v4
         with:
           name: IdLE-${{ steps.tag.outputs.value }}-zip
           path: artifacts/IdLE-${{ steps.tag.outputs.value }}.zip
@@ -196,7 +223,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ github.ref }}
@@ -264,7 +291,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ github.ref }}

From 33c1938cb63ccb3a0bcc7f79ba50ce80b29ac7b0 Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:02:31 +0100
Subject: [PATCH 2/9] docs: fix lint test

---
 docs/index.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 95a42ed4..a2fb2e44 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -50,4 +50,3 @@ used between IdLE and its hosts.
 - [Contributing](../CONTRIBUTING.md)
 - [Style guide](../STYLEGUIDE.md)
 - [Examples](../examples/README.md)
-

From 32d332225adc7e0d35bbb7b3875053ff14dd9d02 Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:05:21 +0100
Subject: [PATCH 3/9] ci: check release tagging always against main

---
 .github/workflows/release.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f8e4080..2a1de9d8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -76,6 +76,24 @@ jobs:
           "is_stable=$($isStable.ToString().ToLowerInvariant())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
           "is_prerelease=$($isPrerelease.ToString().ToLowerInvariant())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append -Encoding utf8
 
+      - name: Require tag to point to main HEAD
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        shell: pwsh
+        run: |
+          Set-StrictMode -Version Latest
+          $ErrorActionPreference = 'Stop'
+
+          git fetch origin main --depth 1 | Out-Null
+
+          $tagSha  = (git rev-parse '${{ github.sha }}').Trim()
+          $mainSha = (git rev-parse 'origin/main').Trim()
+
+          if ($tagSha -ne $mainSha) {
+            throw "Tag does not point to origin/main HEAD. Tag SHA=$tagSha, main SHA=$mainSha"
+          }
+
+          Write-Host "Tag points to origin/main HEAD ($mainSha)."
+
       - name: Require green CI on the target commit
         if: ${{ inputs.publish_release == true || inputs.publish_psgallery == true || startsWith(github.ref, 'refs/tags/v') }}
         shell: pwsh

From 92025db037349a5be667891c1ab5ada6b8d1e1e9 Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:07:14 +0100
Subject: [PATCH 4/9] docs: document release workflow safety gates

---
 docs/advanced/releases.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/advanced/releases.md b/docs/advanced/releases.md
index 790d8df9..03eb5603 100644
--- a/docs/advanced/releases.md
+++ b/docs/advanced/releases.md
@@ -17,6 +17,16 @@ Pre-release tags are **GitHub-only** (no PowerShell Gallery publish).
 - Publishing to PowerShell Gallery is protected via a GitHub **Environment** (`psgallery-prod`) and requires approval.
 - A local end-to-end publish test runs in CI (publishes to a local repository, then installs/imports the module).
 
+## Release workflow safety gates
+
+The Release workflow enforces additional guardrails for tagged releases:
+
+- **Tag must point to `origin/main` HEAD** (fail-fast).
+- **CI must be green for the tag commit** (`ci.yml` must have a successful run for the same SHA).
+- **Tag base version must match all shipped module manifests**.
+
+These checks prevent "broken" releases (e.g., tagging the wrong commit or forgetting the version bump).
+
 ## Versioning policy
 
 ### Stable tags

From 72073664dd87006b88c1bbbb5da1c812aeeb49fc Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:08:37 +0100
Subject: [PATCH 5/9] docs: change to proper version number in release docs

---
 docs/advanced/releases.md | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/docs/advanced/releases.md b/docs/advanced/releases.md
index 03eb5603..e69c2c0b 100644
--- a/docs/advanced/releases.md
+++ b/docs/advanced/releases.md
@@ -33,7 +33,7 @@ These checks prevent "broken" releases (e.g., tagging the wrong commit or forget
 
 Stable releases use tags in the form:
 
-- `vMAJOR.MINOR.PATCH` (example: `v0.7.0`)
+- `vMAJOR.MINOR.PATCH` (example: `v1.2.0`)
 
 For stable releases, all shipped module manifests must have:
 
@@ -43,24 +43,24 @@ For stable releases, all shipped module manifests must have:
 
 Pre-releases use tags in the form:
 
-- `vMAJOR.MINOR.PATCH-<label>` (example: `v0.7.0-preview.1`, `v0.7.0-rc.1`)
+- `vMAJOR.MINOR.PATCH-<label>` (example: `v1.2.0-preview.1`, `v1.2.0-rc.1`)
 
 **Important:** the module manifests still use the *base* version:
 
 - `ModuleVersion = MAJOR.MINOR.PATCH`
 
-That means: to cut `v0.7.4-preview.1`, the manifests must already be bumped to `0.7.4`.  
+That means: to cut `v1.2.4-preview.1`, the manifests must already be bumped to `1.2.4`.  
 (The Release workflow extracts the base version and validates it against all module manifests.)
 
 Pre-release tags do **not** publish to PowerShell Gallery.
 
 ## Release preparation (always via PR)
 
-1. Create a branch for the release preparation (for example: `release/v0.7.0`).
+1. Create a branch for the release preparation (for example: `release/v1.2.0`).
 2. Bump all shipped module versions using the repository tool:
 
    ```powershell
-   pwsh -NoProfile -File ./tools/Set-IdleModuleVersion.ps1 -TargetVersion 0.7.0
+   pwsh -NoProfile -File ./tools/Set-IdleModuleVersion.ps1 -TargetVersion 1.2.0
    ```
 
 3. Run tests:
@@ -93,15 +93,15 @@ The workflow uploads an expanded artifact as a workflow run artifact.
 
 Use this when you want a GitHub-only preview build.
 
-1. Ensure the manifests are bumped to the target base version (PR merged), e.g. `0.7.4`.
+1. Ensure the manifests are bumped to the target base version (PR merged), e.g. `1.2.4`.
 2. Create an annotated tag on the `main` merge commit:
 
    ```bash
    git checkout main
    git pull --ff-only
 
-   git tag -a v0.7.4-preview.1 -m "IdLE v0.7.4-preview.1"
-   git push origin v0.7.4-preview.1
+   git tag -a v1.2.4-preview.1 -m "IdLE v1.2.4-preview.1"
+   git push origin v1.2.4-preview.1
    ```
 
 3. The Release workflow will:
@@ -114,7 +114,7 @@ If you need another preview, repeat with `preview.2`, etc. (no version bump requ
 
 ## Cut a stable release (GitHub Release + optional PSGallery publish)
 
-1. Ensure the manifests are bumped to the target version (PR merged), e.g. `0.7.0`.
+1. Ensure the manifests are bumped to the target version (PR merged), e.g. `1.2.0`.
 2. Create an annotated tag:
 
    ```bash
@@ -122,10 +122,10 @@ If you need another preview, repeat with `preview.2`, etc. (no version bump requ
    git pull --ff-only
 
    # Create an annotated tag (recommended)
-   git tag -a v0.7.0 -m "IdLE v0.7.0"
+   git tag -a v1.2.0 -m "IdLE v1.2.0"
 
    # Push the tag to trigger the Release workflow
-   git push origin v0.7.0
+   git push origin v1.2.0
    ```
 
 3. The Release workflow will:
@@ -160,8 +160,8 @@ This script copies the `IdLE` meta-module and required nested modules into a loc
 
 ## Versioning and naming
 
-- Use `vMAJOR.MINOR.PATCH` tags (for example `v0.7.0`).
-- Pre-releases are allowed (for example `v0.7.0-rc.1`). They should be tested via the dry-run path first.
+- Use `vMAJOR.MINOR.PATCH` tags (for example `v1.2.0`).
+- Pre-releases are allowed (for example `v1.2.0-rc.1`). They should be tested via the dry-run path first.
 - Avoid deleting and reusing tags.
 
 ## Troubleshooting
@@ -172,7 +172,7 @@ This script copies the `IdLE` meta-module and required nested modules into a loc
 - Run the packaging script locally in list-only mode to inspect the file list:
 
 ```powershell
-pwsh -NoProfile -File ./tools/New-IdleReleaseArtifact.ps1 -Tag v0.7.0-test -ListOnly
+pwsh -NoProfile -File ./tools/New-IdleReleaseArtifact.ps1 -Tag v1.2.0-test -ListOnly
 ```
 
 ### Tag was pushed but the workflow fails with a version mismatch
@@ -192,7 +192,7 @@ With immutable releases enabled, treat published releases as immutable.
 Preferred approach:
 
 1. Fix the issue on `main`.
-2. Cut a new version tag (for example `v0.7.1`).
+2. Cut a new version tag (for example `v1.2.1`).
 
 ### The PSGallery publish job is blocked
 

From 10094e6333716d7a7dbd25db8396a2dc0c5694fe Mon Sep 17 00:00:00 2001
From: Matthias <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:14:37 +0100
Subject: [PATCH 6/9] change CI status check for more then only last 5 rund to
 suggested 100 runs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2a1de9d8..d09a16e0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -108,7 +108,7 @@ jobs:
 
           # NOTE: This must match the workflow filename for CI.
           # In this repository it is: .github/workflows/ci.yml
-          $uri = "https://api.github.com/repos/$repo/actions/workflows/ci.yml/runs?per_page=5&head_sha=$sha"
+          $uri = "https://api.github.com/repos/$repo/actions/workflows/ci.yml/runs?per_page=100&head_sha=$sha"
 
           $headers = @{
             Authorization = "Bearer $env:GH_TOKEN"

From 72f18d87a76934a3b54dd044491acf7b341e69e1 Mon Sep 17 00:00:00 2001
From: Matthias Fleschuetz <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:16:57 +0100
Subject: [PATCH 7/9] fix(ci): dereference annotated tags in release validation

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2a1de9d8..386155ec 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -85,7 +85,7 @@ jobs:
 
           git fetch origin main --depth 1 | Out-Null
 
-          $tagSha  = (git rev-parse '${{ github.sha }}').Trim()
+          $tagSha  = (git rev-parse '${{ github.ref }}^{}').Trim()
           $mainSha = (git rev-parse 'origin/main').Trim()
 
           if ($tagSha -ne $mainSha) {

From e1c666569260a590c5c1be76e3c9705d98407e5d Mon Sep 17 00:00:00 2001
From: Matthias <13959569+blindzero@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:19:51 +0100
Subject: [PATCH 8/9] improve error message on running CI required for release

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7aef50ae..6f98c9c7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -120,7 +120,7 @@ jobs:
           $run = $resp.workflow_runs | Sort-Object run_number -Descending | Select-Object -First 1
 
           if (-not $run) {
-            throw "No CI workflow run found for SHA $sha. Ensure CI runs on main for this commit before releasing."
+            throw "No completed CI workflow run found for SHA $sha. If CI is currently running for this commit, wait for it to complete successfully on main before releasing."
           }
 
           if ($run.status -ne 'completed' -or $run.conclusion -ne 'success') {

From f83bdcc6c56f81e1f817a21171d1b3483fc80c41 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 10 Jan 2026 17:20:28 +0000
Subject: [PATCH 9/9] Initial plan