ci: don't publish release if any upload-assets target failed

[jdx]

Summary

GitHub immutable releases are enabled — a published release's assets can't be replaced after the fact. The previous always() gate on publish-release would flip the draft to non-draft even if one platform tarball was missing, leaving the downstream npm / COPR / PPA jobs (triggered by the release: published event) to fail fetching holes. Once published with missing assets, the only fix is to bump the version and re-cut the whole release.

This PR drops always() so publish-release skips when any matrix target in upload-assets fails. Without always(), the default GitHub Actions semantic is "skip if any needed job didn't succeed", which is exactly what we want here. enhance-release (which needs: publish-release) skips transitively, so a half-built release also doesn't get communique-ed notes attached to it.

Recovery flow when this kicks in

1. The draft release stays in place with whatever tarballs did upload.
2. Re-run release.yml via workflow_dispatch with tag: vX.Y.Z to fill the missing assets onto the existing draft.
3. Either flip the draft by hand: gh release edit vX.Y.Z --draft=false (which fires release: published and triggers the downstream publishers), or workflow_dispatch release-plz.yml again so publish-release runs.

Test plan

• actionlint clean
• On the next release: confirm the workflow proceeds normally when all targets succeed
• On a forced upload-assets failure (e.g. via a one-target injected error in a test branch): confirm publish-release is skipped and the draft remains a draft

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes release automation gating so a GitHub release will no longer be published if any upload-assets matrix target fails, which could delay releases if the dependency chain or job conditions are misconfigured.

Overview
Prevents publish-release in release-plz.yml from flipping a draft GitHub release to published unless the upload-assets job succeeds, avoiding immutable published releases with missing binaries.

Updates the workflow documentation to explain why partial uploads must keep the release in draft and outlines the manual recovery flow (re-run release.yml for the tag, then publish).

^{Reviewed by Cursor Bugbot for commit 4cced3d. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

Removes always() from publish-release's if condition so that GitHub Actions' default dependency logic skips the job whenever any upload-assets matrix target fails, preventing a draft release from being published with missing platform binaries under immutable-release constraints. The core fix is correct and well-reasoned.

Confidence Score: 4/5

Safe to merge; the main behavioural goal is achieved and the one finding is a harmless discrepancy between the PR description and GHA semantics.

Only a P2 finding (enhance-release still runs on the draft contrary to the stated description) — no data loss or incorrect publish path is introduced.

.github/workflows/release-plz.yml — enhance-release if condition if strict gating on published-only execution is desired.

Important Files Changed

Filename	Overview
.github/workflows/release-plz.yml	Drops always() from publish-release so the job is skipped when any upload-assets matrix target fails; the core fix is correct, but enhance-release will still run on the draft because GitHub Actions treats a skipped predecessor as "OK".

Comments Outside Diff (1)

1. .github/workflows/release-plz.yml, line 155-156 (link)

   enhance-release does not skip transitively when publish-release is skipped

   The PR description states that enhance-release "skips transitively" when upload-assets fails, but GitHub Actions' default dependency semantics treat a skipped job as "OK" for downstream needs — meaning a skipped publish-release does not block enhance-release from running.

   Concretely, when an upload-assets matrix target fails:

   1. upload-assets → failure
   2. publish-release → skipped (no always(), so GHA skips it because a needed job failed)
   3. enhance-release → runs (its needs are release-plz-release: success and publish-release: skipped; skipped counts as satisfied)

   enhance-release's if only checks needs.release-plz-release.outputs.tag != '', which is still true. It will attach communiqué-generated notes to the draft release. This is harmless in practice (notes on a draft are not public), but contradicts the stated intent. If the goal is to truly gate enhance-release on a successful publish, the condition should include an explicit check:

   if: ${{ needs.release-plz-release.outputs.tag != '' && needs.publish-release.result == 'success' }}

   

_{Reviews (1): Last reviewed commit: "ci: don't publish release if any upload-..." | Re-trigger Greptile}

[github-actions]

Benchmark changes

Versions:

• aube: 1.5.2 -> 1.6.1

Public ratios: warm installs vs Bun 6x -> 12x; warm installs vs pnpm 10x -> 17x.

Benchmark	aube	bun	pnpm
Fresh install (warm cache)	230ms -> 193ms (-16%)	1488ms -> 2317ms (+56%)	2367ms -> 3216ms (+36%)
CI install (warm cache, GVS disabled)	564ms -> 965ms (+71%)	1295ms -> 2051ms (+58%)	2361ms -> 2464ms (+4%)
CI install (cold cache, GVS disabled)	5800ms -> 4012ms (-31%)	4278ms -> 4028ms (-6%)	4823ms -> 5384ms (+12%)

4cced3d vs 3ed617b | aube/bun/pnpm | 3 scenarios | 3 runs | 500mbit/50ms | generated by Codex.