From 4f86e340c277ddb89531ae04d106fb92ff4aeb17 Mon Sep 17 00:00:00 2001
From: StableLlama <stablellama@tutanota.com>
Date: Sun, 22 Feb 2026 21:44:59 +0100
Subject: [PATCH 1/2] Refactor GitHub Actions workflows to trigger on release
 creation only

---
 .github/workflows/build-docker.yml      |  8 +++---
 .github/workflows/build-electron.yml    |  8 +++---
 .github/workflows/build-pyinstaller.yml |  8 +++---
 .github/workflows/create-release.yml    | 34 +++++++++++++++++++++++++
 4 files changed, 43 insertions(+), 15 deletions(-)
 create mode 100644 .github/workflows/create-release.yml

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 3604dc4..292c458 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -1,11 +1,9 @@
 name: Build Docker Image
 
 on:
-  push:
-    branches: [ "main" ]
-    tags: [ 'v*.*.*' ]
-  pull_request:
-    branches: [ "main" ]
+  release:
+    # Run this workflow only when a new release is created
+    types: [created]
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/build-electron.yml b/.github/workflows/build-electron.yml
index b157561..441c277 100644
--- a/.github/workflows/build-electron.yml
+++ b/.github/workflows/build-electron.yml
@@ -1,11 +1,9 @@
 name: Build Standalone App (Electron)
 
 on:
-  push:
-    branches: [ "main" ]
-    tags: [ 'v*.*.*' ]
-  pull_request:
-    branches: [ "main" ]
+  release:
+    # Run this workflow only when a new release is created
+    types: [created]
 
 jobs:
   build:
diff --git a/.github/workflows/build-pyinstaller.yml b/.github/workflows/build-pyinstaller.yml
index 6e5cae2..2878f9f 100644
--- a/.github/workflows/build-pyinstaller.yml
+++ b/.github/workflows/build-pyinstaller.yml
@@ -1,11 +1,9 @@
 name: Build Portable Executable (PyInstaller)
 
 on:
-  push:
-    branches: [ "main" ]
-    tags: [ 'v*.*.*' ]
-  pull_request:
-    branches: [ "main" ]
+  release:
+    # Run this workflow only when a new release is created
+    types: [created]
 
 jobs:
   build:
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
new file mode 100644
index 0000000..e787d46
--- /dev/null
+++ b/.github/workflows/create-release.yml
@@ -0,0 +1,34 @@
+name: Create Release (manual)
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'New release version (tag), e.g. v1.2.3'
+        required: true
+        type: string
+      body:
+        description: 'Release notes / body'
+        required: false
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Create GitHub Release
+        uses: actions/create-release@v1
+        with:
+          tag_name: ${{ github.event.inputs.version || github.event.inputs.version }}
+          release_name: ${{ github.event.inputs.version || github.event.inputs.version }}
+          body: ${{ github.event.inputs.body || '' }}
+          draft: false
+          prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 924ec5696a5867ecc37559b2d1f0d844e0e1ebe5 Mon Sep 17 00:00:00 2001
From: StableLlama <stablellama@tutanota.com>
Date: Sun, 22 Feb 2026 21:58:19 +0100
Subject: [PATCH 2/2] Update GitHub Actions workflows to trigger on release
 publication and enforce main branch for manual release creation

---
 .github/workflows/build-docker.yml      | 4 ++--
 .github/workflows/build-electron.yml    | 4 ++--
 .github/workflows/build-pyinstaller.yml | 4 ++--
 .github/workflows/create-release.yml    | 8 ++++++++
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 292c458..5b35aa7 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -2,8 +2,8 @@ name: Build Docker Image
 
 on:
   release:
-    # Run this workflow only when a new release is created
-    types: [created]
+    # Run this workflow only when a release is published
+    types: [published]
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/build-electron.yml b/.github/workflows/build-electron.yml
index 441c277..8dd9d3c 100644
--- a/.github/workflows/build-electron.yml
+++ b/.github/workflows/build-electron.yml
@@ -2,8 +2,8 @@ name: Build Standalone App (Electron)
 
 on:
   release:
-    # Run this workflow only when a new release is created
-    types: [created]
+    # Run this workflow only when a release is published
+    types: [published]
 
 jobs:
   build:
diff --git a/.github/workflows/build-pyinstaller.yml b/.github/workflows/build-pyinstaller.yml
index 2878f9f..7097e97 100644
--- a/.github/workflows/build-pyinstaller.yml
+++ b/.github/workflows/build-pyinstaller.yml
@@ -2,8 +2,8 @@ name: Build Portable Executable (PyInstaller)
 
 on:
   release:
-    # Run this workflow only when a new release is created
-    types: [created]
+    # Run this workflow only when a release is published
+    types: [published]
 
 jobs:
   build:
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index e787d46..2db33bf 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -2,6 +2,7 @@ name: Create Release (manual)
 
 on:
   workflow_dispatch:
+    branches: [ "main" ]
     inputs:
       version:
         description: 'New release version (tag), e.g. v1.2.3'
@@ -22,6 +23,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Ensure workflow is running on `main`
+        run: |
+          if [ "${GITHUB_REF#refs/heads/}" != "main" ]; then
+            echo "This workflow can only be run on the main branch.";
+            exit 1;
+          fi
+
       - name: Create GitHub Release
         uses: actions/create-release@v1
         with: