chore(ci): add artifact security scanning to release pipelines

- Add gh-action-scan before git push in both release workflows, so
  compromised artifacts block the release before any tag is published
- Decouple npm publish from release-it's after:release hook into
  explicit workflow steps for better control flow
- Uncomment push-to-main triggers for both release workflows
- Use databricks/gh-action-scan composite action (SHA-pinned)

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

Author: pkosiec

.github/workflows/release-lakebase.yml

@@ -1,11 +1,11 @@
 name: Release @databricks/lakebase
 
 on:
-  # push:
-  #   branches:
-  #     - main
-  #   paths:
-  #     - 'packages/lakebase/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'packages/lakebase/**'
   workflow_dispatch:
     inputs:
       dry-run:
@@ -61,13 +61,38 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Release
+      - name: Release (build + tag locally)
         working-directory: packages/lakebase
         run: |
           if [ "$DRY_RUN" == "true" ]; then
             pnpm release:dry
           else
-            pnpm release:ci
+            pnpm exec release-it --ci --no-git.push --no-github.release
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Security scan
+        if: env.DRY_RUN != 'true'
+        uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f
+        with:
+          artifact-path: packages/lakebase/tmp
+          artifact-name: lakebase
+
+      - name: Push tag and create GitHub release
+        if: env.DRY_RUN != 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION=$(node -p "require('./packages/lakebase/package.json').version")
+          git push --follow-tags
+          NOTES=$(awk '/^## \[/{if(p) exit; p=1} p' packages/lakebase/CHANGELOG.md)
+          gh release create "lakebase-v${VERSION}" \
+            --title "@databricks/lakebase v${VERSION}" \
+            --notes "$NOTES"
+
+      - name: Publish to npm
+        if: env.DRY_RUN != 'true'
+        run: npm publish packages/lakebase/tmp --access public --provenance
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,11 +1,11 @@
 name: Release
 
 on:
-  # push:
-  #   branches:
-  #     - main
-  #   paths-ignore:
-  #     - 'packages/lakebase/**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'packages/lakebase/**'
   workflow_dispatch:
     inputs:
       dry-run:
@@ -82,16 +82,50 @@ jobs:
             echo "No releasable version detected"
           fi
 
-      - name: Release
+      - name: Release (build + tag locally, no push)
         run: |
           if [ "${{ steps.mode.outputs.dry_run }}" == "true" ]; then
             pnpm release:dry
           else
-            pnpm release:ci
+            pnpm exec release-it --ci --no-git.push --no-github.release
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Security scan (appkit)
+        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
+        uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f
+        with:
+          artifact-path: packages/appkit/tmp
+          artifact-name: appkit-${{ steps.version.outputs.version }}
+
+      - name: Security scan (appkit-ui)
+        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
+        uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f
+        with:
+          artifact-path: packages/appkit-ui/tmp
+          artifact-name: appkit-ui-${{ steps.version.outputs.version }}
+
+      - name: Push tag and create GitHub release
+        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git push --follow-tags
+          NOTES=$(awk '/^## \[/{if(p) exit; p=1} p' CHANGELOG.md)
+          gh release create "v${VERSION}" \
+            --title "AppKit v${VERSION}" \
+            --notes "$NOTES"
+
+      - name: Publish to npm
+        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
+        run: |
+          npm publish packages/appkit/tmp --access public --provenance
+          npm publish packages/appkit-ui/tmp --access public --provenance
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   sync-template:
     runs-on:
       group: databricks-protected-runner-group

.release-it.json

@@ -25,8 +25,7 @@
   "hooks": {
     "before:init": "pnpm audit --audit-level=high --prod",
     "after:bump": "tsx tools/sync-versions.ts ${version} && pnpm build:notice && git add NOTICE.md",
-    "before:release": "pnpm build && pnpm --filter=docs build && pnpm --filter=@databricks/appkit dist && pnpm --filter=@databricks/appkit-ui dist && pnpm release:sbom",
-    "after:release": "npm publish packages/appkit/tmp --access public --provenance && npm publish packages/appkit-ui/tmp --access public --provenance"
+    "before:release": "pnpm build && pnpm --filter=docs build && pnpm --filter=@databricks/appkit dist && pnpm --filter=@databricks/appkit-ui dist && pnpm release:sbom"
   },
   "plugins": {
     "@release-it/conventional-changelog": {

packages/lakebase/.release-it.json

@@ -23,8 +23,7 @@
   "hooks": {
     "before:init": "pnpm audit --audit-level=high --prod",
     "after:bump": "npm version ${version} --no-git-tag-version --allow-same-version",
-    "before:release": "pnpm build:package && pnpm dist && pnpm release:sbom",
-    "after:release": "npm publish ./tmp --access public --provenance"
+    "before:release": "pnpm build:package && pnpm dist && pnpm release:sbom"
   },
   "plugins": {
     "@release-it/conventional-changelog": {