ci: Force publish artifacts to be from a tag when triggered by dispatch [backport] (#5680)

## Backport of #5673

This PR backports #5673 to release/v1.14.

### Original PR Author
@kgeckhart

### Description
### Brief description of Pull Request

Ensure the dispatch of the artifacts job will be from a tag. Previously
this was not required which could accidentally cause artifacts to be
generated from main.

This also adds a dry run mode which prints the ref and exits.

---
*This backport was created automatically.*

Co-authored-by: Kyle Eckhart <kgeckhart@users.noreply.github.com>

Author: grafana-alloybot[bot]

.github/workflows/publish-alloy-windows.yml

@@ -18,6 +18,10 @@ on:
         required: false
         type: string
         default: ""
+      ref:
+        required: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
@@ -41,6 +45,7 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
+        ref: ${{ inputs.ref }}
         persist-credentials: false
 
     - name: Tag dev

.github/workflows/release-publish-alloy-artifacts.yml

@@ -5,18 +5,49 @@ on:
       - 'v*'
   workflow_dispatch:
     inputs:
-      tag:
-        description: 'Release tag to publish artifacts for (e.g., v1.14.0-rc.0)'
-        required: true
-        type: string
+      dry_run:
+        # When dry_run is true, the validate job will intentionally fail and all downstream jobs will be skipped.
+        description: 'Dry run (do not publish any artifacts)'
+        type: boolean
+        default: true
 env:
-  RELEASE_TAG: ${{ inputs.tag || github.ref_name }}
+  RELEASE_TAG: ${{ github.ref_name }}
 
 permissions:
   contents: read
 
 jobs:
+  validate:
+    name: Validate ref is a tag
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check ref type
+      env:
+        REF_TYPE: ${{ github.ref_type }}
+        REF_NAME: ${{ github.ref_name }}
+        DRY_RUN: ${{ inputs.dry_run }}
+      run: |
+        if [[ "$REF_TYPE" != "tag" ]]; then
+          echo "::error::This workflow must be run from a tag, not a branch. Change the ref to a release tag (e.g., v1.14.0)."
+          exit 1
+        fi
+        if [[ "$REF_NAME" != v* ]]; then
+          echo "::error::Tag must start with 'v' (e.g., v1.14.0). Got: $REF_NAME"
+          exit 1
+        fi
+        if [[ "$DRY_RUN" == "true" ]]; then
+          echo "Dry run enabled for $REF_NAME. The following would run:"
+          echo "  - Publish Linux container images"
+          echo "  - Publish Windows container image"
+          echo "  - Build and sign Windows executables and installer"
+          echo "  - Upload release artifacts to GitHub"
+          echo "  - Submit WinGet manifest"
+          echo "::error::Set dry_run to false to publish."
+          exit 1
+        fi
+
   publish_linux_container:
+    needs: validate
     uses: ./.github/workflows/publish-alloy-linux.yml
     permissions:
       contents: read
@@ -25,6 +56,7 @@ jobs:
       img-name: alloy
 
   publish_linux_boringcrypto_container:
+    needs: validate
     uses: ./.github/workflows/publish-alloy-linux.yml
     permissions:
       contents: read
@@ -33,12 +65,14 @@ jobs:
       img-name: alloy-boringcrypto
 
   publish_windows_container:
+    needs: validate
     uses: ./.github/workflows/publish-alloy-windows.yml
     permissions:
       contents: read
       id-token: write
     with:
       img-name: alloy
+      ref: ${{ github.ref_name }}
 
   build_alloy:
     name: Build Alloy
@@ -285,4 +319,4 @@ jobs:
       contents: read
       id-token: write
     with:
-      release-tag: ${{ inputs.tag || github.event.release.tag_name }}
+      release-tag: ${{ github.ref_name }}