From e87db42cf89248c0cac4f91c376c53ab81b31337 Mon Sep 17 00:00:00 2001
From: lukeocodes <luke@lukeoliff.com>
Date: Fri, 8 May 2026 13:55:16 +0100
Subject: [PATCH] ci(release): gate mark-latest and web deploy on PyPI publish
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both jobs were running in parallel with build/test/publish — only release-please
was a 'needs' dependency. That meant 'latest' could flip and cli.deepgram.com
could ship a new version banner before the PyPI artifact was actually
installable.

Move both downstream of publish so they run in parallel with bump-brew-formula.
Final shape:

  release-please -> build -> test -> publish ─┬─> mark-latest
                                              ├─> deploy-web (production)
                                              └─> bump-brew-formula

PyPI is the gating artifact for all three: brew formula needs the SHA, web
landing page advertises the install command, mark-latest promotes the tag.
---
 .github/workflows/release.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5c576fb..9c0cfe9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -79,10 +79,12 @@ jobs:
 
   mark-latest:
     name: Mark root release as latest
-    needs: release-please
-    # Re-assert latest on the root package tag (vX.Y.Z) after all sub-package
-    # releases are created, since release-please processes them sequentially and
-    # a sub-package release created after the root tag can steal the pointer.
+    needs: [release-please, publish]
+    # Re-assert latest on the root package tag (vX.Y.Z) after PyPI publish so
+    # users clicking "latest" land on a tag whose artifact is actually
+    # installable. Also re-asserts after all sub-package releases since
+    # release-please processes them sequentially and a sub-package release
+    # created after the root tag can steal the pointer.
     if: |
       needs.release-please.outputs.release_created == 'true' &&
       startsWith(needs.release-please.outputs.tag_name, 'v')
@@ -95,9 +97,11 @@ jobs:
 
   deploy-web:
     name: Deploy web to production
-    needs: release-please
-    # Only fire on root-package releases (v0.2.4, v1.0.0, …).
-    # Sub-package tags look like deepctl-cmd-listen-v0.0.3 — skip those.
+    needs: [release-please, publish]
+    # Only fire on root-package releases (v0.2.4, v1.0.0, …) and only after
+    # PyPI publish so cli.deepgram.com never advertises a version that isn't
+    # installable yet. Sub-package tags look like deepctl-cmd-listen-v0.0.3 —
+    # skip those.
     if: |
       needs.release-please.outputs.release_created == 'true' &&
       startsWith(needs.release-please.outputs.tag_name, 'v')