feat: private fork release pipeline (#20707)

Part of ability to have private repo forks

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: ludamad

.github/workflows/private-fork-release.yml

@@ -0,0 +1,61 @@
+# Accepts a release dispatch from a private fork.
+# Checks out the fork's code and runs the standard release pipeline
+# using this (public) repo's secrets and publishing identity.
+# The tag is pushed here with [skip ci] to avoid triggering the normal ci3.yml release.
+name: Release (Fork)
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag (e.g. v5.0.0)"
+        required: true
+      commit:
+        description: "Commit SHA from the source repo"
+        required: true
+      source_repo:
+        description: "Source repository to clone"
+        required: true
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    environment: master
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          repository: ${{ inputs.source_repo }}
+          ref: ${{ inputs.commit }}
+          token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Push tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+        run: |
+          git config user.name "AztecBot"
+          git config user.email "tech@aztecprotocol.com"
+          git remote add public "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
+          git fetch public next --depth=1
+          git tag -a "${{ inputs.tag }}" public/next -m "${{ inputs.tag }} [skip ci]"
+          git push public "refs/tags/${{ inputs.tag }}" || echo "Tag already exists, continuing."
+
+      - name: Release
+        env:
+          CI: "1"
+          RELEASE_ALL: "1"
+          REF_NAME: ${{ inputs.tag }}
+          RUN_ID: ${{ github.run_id }}
+          SOURCE_REPOSITORY: ${{ inputs.source_repo }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        run: ./.github/ci3.sh release