ci: Extract release workflow into a dedicated file

Moves the GitHub Actions release job from `build-and-test.yml`
into a new, standalone `release.yml` workflow. This improves
modularity and clarity of the CI/CD pipeline, allowing for
better management and triggering of the release process.

The new workflow is configured to run upon completion of the
'Build and test' workflow or via manual `workflow_dispatch`,
with a dry-run option available for testing.

Author: dividedmind

.github/workflows/build-and-test.yml

@@ -108,38 +108,3 @@ jobs:
           TERM: xterm
         working-directory: ./agent
         run: bin/test_run
-
-  release:
-    name: Release
-    runs-on: ubuntu-latest
-    needs: test-suite
-    if: ${{ github.ref == 'refs/heads/master' }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/setup-java@v4
-        with:
-          java-version: '17'
-          distribution: 'temurin'
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v4
-      - uses: actions/download-artifact@v4
-        with:
-          name: Jars
-      - name: Install semantic-release
-        run: |
-          npm i -g \
-              semantic-release \
-              @semantic-release/exec \
-              @semantic-release/git \
-              @semantic-release/changelog \
-              @google/semantic-release-replace-plugin
-      - name: Run semantic-release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGKEY }}
-          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGPASSWORD }}
-          ORG_GRADLE_PROJECT_ossrhUsername: ${{ secrets.ORG_GRADLE_PROJECT_OSSRHUSERNAME }}
-          ORG_GRADLE_PROJECT_ossrhPassword: ${{ secrets.ORG_GRADLE_PROJECT_OSSRHPASSWORD }}
-        run: semantic-release

.github/workflows/release.yml

@@ -0,0 +1,62 @@
+name: Release
+
+on:
+  workflow_run:
+    workflows: ["Build and test"]
+    types:
+      - completed
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Run in dry-run mode (no publish)"
+        required: false
+        default: "true"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    concurrency:
+      group: "release"
+      cancel-in-progress: true
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'master')
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/setup-java@v5
+        with:
+          java-version: "17"
+          distribution: "temurin"
+          cache: gradle
+      - name: Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version: "20"
+      - name: Install semantic-release
+        shell: bash
+        run: |
+          npm i -g \
+              semantic-release \
+              @semantic-release/exec \
+              @semantic-release/git \
+              @semantic-release/changelog \
+              @google/semantic-release-replace-plugin
+      - name: Run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGKEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGPASSWORD }}
+          ORG_GRADLE_PROJECT_ossrhUsername: ${{ secrets.ORG_GRADLE_PROJECT_OSSRHUSERNAME }}
+          ORG_GRADLE_PROJECT_ossrhPassword: ${{ secrets.ORG_GRADLE_PROJECT_OSSRHPASSWORD }}
+        shell: bash
+        run: |
+          if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then
+            semantic-release --dry-run
+          else
+            semantic-release
+          fi