From aedfbf0dace7dd5647dae4652b9b259f8ce033dc Mon Sep 17 00:00:00 2001
From: Jacob Lindgren <jacob.lindgren@suse.com>
Date: Wed, 15 Apr 2026 12:07:19 -0500
Subject: [PATCH] setup release workflow for supporting immutable releases

---
 .github/workflows/release.yaml | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 03f48df76..14965e8b8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,8 +6,19 @@ on:
       - '*'
 
 jobs:
+  create-draft:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Create draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create -R "${GITHUB_REPOSITORY}" --draft --generate-notes "${GITHUB_REF_NAME}"
+
   build:
     runs-on: ubuntu-latest
+    needs: [create-draft]
     strategy:
       fail-fast: true
       matrix:
@@ -34,8 +45,7 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
-    needs:
-      - build
+    needs: [create-draft]
     permissions:
       contents: read
       id-token: write # required for cosign signing
@@ -88,25 +98,24 @@ jobs:
           prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
           prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
 
-  create-release:
+  finalize:
     runs-on: ubuntu-latest
     needs:
       - build
       - publish
     permissions:
-      contents: write # needed for creating the GH release
+      contents: write # Publish the draft release
+      id-token: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Download assets
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           path: /tmp/assets
           pattern: rancher-machine-*.tar.gz
           merge-multiple: true
-      - name: (for testing) check files
-        run: ls -l /tmp/assets
-      - name: Create GH release
-        run: gh release create ${{ github.ref_name }} --verify-tag --generate-notes /tmp/assets/rancher-machine-*.tar.gz
+      - name: Upload binary assets to release
+        run: gh release upload -R "${GITHUB_REPOSITORY}" "${GITHUB_REF_NAME}" /tmp/assets/rancher-machine-*.tar.gz
+      - name: Publish the release
+        run: gh release edit -R "${GITHUB_REPOSITORY}" "${GITHUB_REF_NAME}" --draft=false