Context
`release.yml` fires only on `on: push: tags: "v*"`. If a tagged release fails partway (e.g. cosign outage, npm registry 5xx), there's no clean re-run path short of deleting+repushing the tag.
`v0.2.4` shipped without SBOM/cosign/SLSA because Actions was temporarily disabled during the tag push — same class of problem.
Proposal
- Add `workflow_dispatch` trigger with a `tag` input to `release.yml`.
- When dispatched, use the input as `GITHUB_REF_NAME` for the tag-match check and artifact naming.
- Guard the `publish-npm` job behind a boolean input `skip_npm` (default `false`) so re-runs for an already-published version can still produce signed GH release assets without failing on `npm publish` collision.
Acceptance criteria
Context
`release.yml` fires only on `on: push: tags: "v*"`. If a tagged release fails partway (e.g. cosign outage, npm registry 5xx), there's no clean re-run path short of deleting+repushing the tag.
`v0.2.4` shipped without SBOM/cosign/SLSA because Actions was temporarily disabled during the tag push — same class of problem.
Proposal
Acceptance criteria