Add Re-release workflow to republish artifacts from a specific commit SHA (#7079)

When a release partially fails (npm registry issues, network errors,
etc.), there's no way to re-run only the publish steps against an
already-tagged commit without bumping versions again.

## Changes

- **New workflow** `.github/workflows/release-rerun.yml`:
`workflow_dispatch` with a required `commit_sha` input that checks out
the repo at that SHA and runs `02-release-builds.sh` +
`03-release-npm.sh`
- **No version bumping**: `01-release-tags.sh` is intentionally absent —
this workflow is publish-only
- Same environment, permissions (`id-token: write` for provenance), and
npm auth setup as the existing release workflows

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

## Summary

Add a new manual GitHub Actions workflow that allows triggering the
release pipeline at a specific commit SHA without updating package
versions. This is useful for re-releasing artifacts that were not
properly published the first time around.

## Background

The current release workflows are:

1. **`release-branch.yml`** - Releases a new stable version from a
specified branch, bumps versions via `01-release-tags.sh`, and publishes
2. **`release-candidate.yml`** - Releases a RC from master, optionally
applies new versions via `01-release-tags.sh --prerelease`, and
publishes

Both workflows always check out a branch (`master` or a specified
branch) and optionally run version tagging scripts. There's no way to
re-release artifacts from a specific commit when publishing failed
partially (e.g., due to network issues, npm registry problems, etc.).

## Requirements

Create a new workflow file at `.github/workflows/release-rerun.yml` (or
similar name like `republish.yml`) that:

1. **Trigger**: Uses `workflow_dispatch` with a required input for the
commit SHA to checkout
2. **Input**: 
- `commit_sha` (required): The specific commit SHA to checkout and
release from
3. **Steps** (follow the pattern from existing release workflows):
- Checkout the repository at the specified commit SHA (using
`actions/checkout@v4` with `ref: ${{ github.event.inputs.commit_sha }}`)
   - Fetch all relevant tags (like existing workflows)
   - Setup Node.js 18.x
   - Build the CLI binary (same "Build a binary for convenience" step)
- **Skip** the "Generate the release commits" step entirely (no version
bumping)
   - Configure npm auth tokens
   - Run `./scripts/release/02-release-builds.sh` to publish packages
- Run `./scripts/release/03-release-npm.sh` to publish the CLI dist
package

4. **Permissions**: Include `id-token: write` for provenance statement
minting (same as existing workflows)

5. **Environment**: Use the same environment variables as existing
workflows:
   - `node-version: '18.x'`
   - `NODE_OPTIONS: --max_old_space_size=8192`

## Reference Implementation

Use `release-candidate.yml` as the base template but:
- Change the input from `apply_versions` to `commit_sha` (required,
string type with description like "Commit SHA to release from")
- Change the checkout `ref` to use the commit SHA input instead of
`master`
- Remove the conditional "Generate the release commits" step entirely
- Keep the "Upload the releases" step that runs `02-release-builds.sh`
and `03-release-npm.sh`

## Workflow Name

Use a descriptive name like `'Re-release'` or `'Republish Artifacts'` to
make it clear this is for re-running a failed release.

The following is the prior conversation context from the user's chat
exploration (may be truncated):

User: Open a pr on yarnpkg/berry that adds a new manual workflow
triggering the release pipeline at a specific commit without updating
the package versions. We will use it to re-release artifacts that were
not properly published the first time around.

Assistant: I'll create a pull request on yarnpkg/berry to add a new
manual workflow for triggering the release pipeline at a specific commit
without updating package versions. Let me first explore the existing
release workflows to understand the current setup.

Assistant: Let me look at the existing release workflows to understand
the release pipeline structure:

Assistant: Now I have a good understanding of the existing release
workflows. Let me also check the release scripts to better understand
what they do:

Assistant: Now I have a good understanding of the existing release
workflows. I can see that:

1. `release-candidate.yml` already has an `apply_versions` input that
can skip version bumping
2. `release-branch.yml` releases from a specific branch
3. Both workflows use `02-release-builds.sh` and `03-release-npm.sh` to
publish artifacts

The new workflow should:
- Allow specifying a specific commit SHA to checkout
- Skip version updates entirely (no `01-release-tags.sh` execution)
- Just run the build and publish scripts

Let me create the PR:

Assistant: I've started a pull request on `yarnpkg/berry` using the
Copilot coding agent. The agent will create a new workflow file (likely
named `release-rerun.yml` or `republish.yml`) that:

1. **Manually triggered** via `workflow_dispatch` with a required
`commit_sha` input
2. **Checks out** the repository at the specified commit SHA
3. **Builds** the CLI binary
4. **Skips version bumping** - no calls to `01-release-tags.sh`
5. **Runs the publish scripts** (`02-release-builds.sh` and
`03-release-npm.sh`) to re-release the artifacts

This will allow you to re-release packages from any previously-tagged
commit when publishing failed partially (e.g., npm registry issues,
network problems, etc.).

The Copilot coding agent is now working on this task. You can follow the
progress in the repository's pull requests - a new PR should appear
shortly at [yarnpkg/berry pull requests](https://gith...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

📍 Connect Copilot coding agent with [Jira](https://gh.io/cca-jira-docs),
[Azure Boards](https://gh.io/cca-azure-boards-docs) or
[Linear](https://gh.io/cca-linear-docs) to delegate work to Copilot in
one click without leaving your project management tool.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: arcanis <1037931+arcanis@users.noreply.github.com>

Author: Copilot

.github/workflows/release-rerun.yml

@@ -0,0 +1,56 @@
+on:
+  workflow_dispatch:
+    inputs:
+      commit_sha:
+        description: 'Commit SHA to release from'
+        required: true
+        type: string
+
+env:
+  node-version: '18.x'
+
+name: 'Re-release'
+jobs:
+  release:
+    name: 'Re-releasing artifacts'
+    runs-on: ubuntu-latest
+
+    env:
+      NODE_OPTIONS: --max_old_space_size=8192
+
+    # Mint a token to produce the provenance statement
+    permissions:
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{github.event.inputs.commit_sha}}
+        token: ${{secrets.YARNBOT_TOKEN}}
+
+    - name: 'Retrieve all the relevant tags'
+      run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
+
+    - name: 'Use Node.js ${{ env.node-version }}'
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ env.node-version }}
+
+    - name: 'Build a binary for convenience'
+      run: |
+        yarn build:cli
+
+        TMPBIN=$(mktemp -d)
+        cp ./packages/yarnpkg-cli/bundles/yarn.js $TMPBIN/yarn.js
+
+        grep -v "yarnPath:" .yarnrc.yml > $TMPBIN/.yarnrc.yml
+        cp $TMPBIN/.yarnrc.yml .yarnrc.yml
+        echo "yarnPath: '$TMPBIN/yarn.js'" >> .yarnrc.yml
+        git update-index --skip-worktree -- .yarnrc.yml
+
+    - name: 'Upload the releases'
+      run: |
+        yarn config set -H 'npmAuthToken' "${{secrets.YARNBOT_NPM_TOKEN}}"
+        yarn config set -H 'npmRegistries["//npm.pkg.github.com"].npmAuthToken' "${{secrets.YARNBOT_TOKEN}}"
+        ./scripts/release/02-release-builds.sh
+        ./scripts/release/03-release-npm.sh