fix(release): make recovery lane publishable

szTheory · szTheory · commit cd5e40d001a4 · 2026-04-23T22:47:38.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,7 +51,7 @@ jobs:
     name: Publish to Hex
     runs-on: ubuntu-latest
     needs: release-please
-    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    if: ${{ github.event_name == 'workflow_dispatch' || needs.release-please.outputs.release_created == 'true' }}
     environment: hex-publish
     permissions:
       contents: read
@@ -65,6 +65,11 @@ jobs:
           elixir-version: "1.19.5"
           otp-version: "28"
 
+      - name: Install Hex and Rebar
+        run: |
+          mix local.hex --force
+          mix local.rebar --force
+
       - name: Restore Mix cache
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
diff --git a/docs/maintainer-release.md b/docs/maintainer-release.md
@@ -53,6 +53,7 @@ If `workflow_dispatch` is used, treat it as recovery-only. It is not a normal pu
 - Restrict the environment to deployments from `main`.
 - Keep workflow permissions minimal and publish jobs pinned to immutable action SHAs.
 - Keep the authenticated dry-run inside the trusted workflow via `mix release.preflight`.
+- If a merged release needs to be replayed after a workflow failure, use `workflow_dispatch` with a recovery reason to rerun the same protected publish lane.
 - Record protected-environment evidence separately from repo-owned proof: deployment restrictions, bypass posture, and environment-secret placement all live in GitHub settings rather than in the repo.
 
 ## Release posture
diff --git a/test/lockspire/release_readiness_contract_test.exs b/test/lockspire/release_readiness_contract_test.exs
@@ -40,6 +40,9 @@ defmodule Lockspire.ReleaseReadinessContractTest do
     assert release_workflow =~ "recovery_reason"
     assert release_workflow =~ "workflow_dispatch is recovery-only"
     assert release_workflow =~ "Release Please generated PRs are review-only"
+    assert release_workflow =~ "github.event_name == 'workflow_dispatch'"
+    assert release_workflow =~ "mix local.hex --force"
+    assert release_workflow =~ "mix local.rebar --force"
 
     assert release_workflow =~
              "Trusted proof starts only after merge in the protected hex-publish environment"
@@ -51,7 +54,7 @@ defmodule Lockspire.ReleaseReadinessContractTest do
     assert release_workflow =~ "run: mix hex.publish --yes"
 
     assert release_workflow =~
-             "if: ${{ needs.release-please.outputs.release_created == 'true' }}"
+             "if: ${{ github.event_name == 'workflow_dispatch' || needs.release-please.outputs.release_created == 'true' }}"
 
     refute release_workflow =~ "pull_request:"
     refute release_workflow =~ "package-name: lockspire"
