[build] use rulesets to restrict and unrestrict trunk during release window (#16941)

* [build] use rulesets to restrict and unrestrict trunk during release window

* [build] add empty permissions to restrict-trunk workflow

* create slack message if release fails

---------

Co-authored-by: Copilot <[email protected]>

Author: titusfortner

.github/workflows/pre-release.yml

@@ -22,6 +22,7 @@ jobs:
   update-rust:
     name: Update Rust Version
     runs-on: ubuntu-latest
+    if: github.event.repository.fork == false
     steps:
       - name: "Checkout repo"
         uses: actions/checkout@v4

.github/workflows/release.yml

@@ -139,9 +139,18 @@ jobs:
           omitBodyDuringUpdate: true
           omitNameDuringUpdate: true
 
+  unrestrict-trunk:
+    name: Unrestrict Trunk Branch
+    needs: [github-release]
+    if: always()
+    uses: ./.github/workflows/restrict-trunk.yml
+    with:
+      restrict: false
+    secrets: inherit
+
   update-version:
     name: Reset Versions to Nightly
-    needs: [stage, docs]
+    needs: [stage, docs, unrestrict-trunk]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -165,3 +174,27 @@ jobs:
         run: |
           git commit -m "[build] Reset versions to nightly after ${{ needs.stage.outputs.tag }} release"
           git push
+
+  on-release-failure:
+    name: On Release Failure
+    runs-on: ubuntu-latest
+    needs: [stage, authorize, publish, docs, github-release, unrestrict-trunk, update-version]
+    if: failure()
+    steps:
+      - uses: actions/checkout@v4
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_ICON_EMOJI: ":rotating_light:"
+          SLACK_COLOR: failure
+          SLACK_CHANNEL: selenium-tlc
+          SLACK_USERNAME: GitHub Workflows
+          SLACK_TITLE: Release failed
+          SLACK_MESSAGE: >
+            Selenium Published: ${{ needs.publish.result }},
+            Docs Updated: ${{ needs.docs.result }},
+            GitHub Release Published: ${{ needs.github-release.result }},
+            Trunk Unlocked: ${{ needs.unrestrict-trunk.result }},
+            Nightly Version Updated: ${{ needs.update-version.result }}
+          MSG_MINIMAL: actions url
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/restrict-trunk.yml

@@ -0,0 +1,54 @@
+name: Manage Trunk Restrictions
+
+permissions: {}
+
+concurrency:
+  group: manage-trunk-restrictions
+  cancel-in-progress: false
+
+on:
+  pull_request:
+    types: [ready_for_review, closed]
+    branches:
+      - trunk
+  workflow_dispatch:
+    inputs:
+      restrict:
+        description: 'Restrict trunk branch'
+        required: true
+        type: boolean
+  workflow_call:
+    inputs:
+      restrict:
+        description: 'Restrict trunk branch'
+        required: true
+        type: boolean
+
+jobs:
+  manage-trunk:
+    name: Manage Trunk Branch
+    runs-on: ubuntu-latest
+    if: |
+      github.event.repository.fork == false &&
+      (github.event_name == 'workflow_dispatch' || github.event_name == 'workflow_call' ||
+       (startsWith(github.event.pull_request.head.ref, 'release-preparation-') &&
+        (github.event.action == 'ready_for_review' ||
+         (github.event.action == 'closed' && github.event.pull_request.merged == false))))
+    strategy:
+      matrix:
+        ruleset_id:
+          - 11911909  # Release In Progress Access (restrict updates to trunk to release managers)
+          - 11912022  # Release In Progress Flow (requires branches to be up to date before merging)
+    env:
+      TRUNK_RESTRICTED: ${{ inputs.restrict || github.event.action == 'ready_for_review' }}
+    steps:
+      - name: Update ruleset enforcement
+        uses: octokit/[email protected]
+        with:
+          route: PUT /repos/{owner}/{repo}/rulesets/{ruleset_id}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ github.event.repository.name }}
+          ruleset_id: ${{ matrix.ruleset_id }}
+          enforcement: ${{ env.TRUNK_RESTRICTED == 'true' && 'active' || 'disabled' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }}