From 29a815ef2a18adf0b20105dbaa134b388fcef8d9 Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Tue, 12 May 2026 16:55:51 +0100
Subject: [PATCH] Fail closed on stale API action plans

---
 .github/workflows/create-release.yml              | 6 +++---
 scripts/installtests/build_release_assets_test.go | 7 +++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 0f6df7eb5..eeb140a33 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -1080,7 +1080,7 @@ jobs:
     needs:
       - prepare
       - validate_release_assets
-    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' }}
+    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' && github.event.inputs.draft_only != 'true' }}
     permissions:
       contents: read
     uses: ./.github/workflows/install-sh-smoke.yml
@@ -1103,7 +1103,7 @@ jobs:
     needs:
       - prepare
       - validate_release_assets
-    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' }}
+    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' && github.event.inputs.draft_only != 'true' }}
     permissions:
       contents: write
       packages: write
@@ -1125,7 +1125,7 @@ jobs:
     needs:
       - prepare
       - validate_release_assets
-    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' }}
+    if: ${{ always() && needs.prepare.result == 'success' && needs.validate_release_assets.result == 'success' && needs.prepare.outputs.historical_asset_backfill_only != 'true' && github.event.inputs.draft_only != 'true' }}
     permissions:
       contents: read
       packages: write
diff --git a/scripts/installtests/build_release_assets_test.go b/scripts/installtests/build_release_assets_test.go
index 40f4b158d..78517723e 100644
--- a/scripts/installtests/build_release_assets_test.go
+++ b/scripts/installtests/build_release_assets_test.go
@@ -193,6 +193,13 @@ func TestCreateReleaseUploadsPowerShellInstaller(t *testing.T) {
 		`promote_floating_tags:`,
 		`tag: ${{ needs.prepare.outputs.tag }}`,
 		`prerelease: ${{ needs.prepare.outputs.is_prerelease == 'true' }}`,
+		// Draft-only mode (draft_only=true input) keeps the release as a
+		// draft and skips the publish step. The three workflow_call'd
+		// downstreams must skip in that mode too — install-sh-smoke can't
+		// reach the /releases/download/<tag>/ URL of a draft (404), and
+		// helm publish + tag promotion would advance externally-visible
+		// state to a release that hasn't been promoted out of draft yet.
+		`needs.prepare.outputs.historical_asset_backfill_only != 'true' && github.event.inputs.draft_only != 'true'`,
 	}
 	for _, needle := range required {
 		if !strings.Contains(workflow, needle) {