update action permissions

.github/issue-resolution/package.json

@@ -1,5 +0,0 @@
-{
-  "name": "issue-resolution",
-  "private": true,
-  "type": "module"
-}

.github/issue-resolution/prompts/issue-resolution-system.txt

@@ -1,32 +0,0 @@
-You are a GitHub issue resolution classifier.
-
-Your job is to decide whether an open GitHub issue is:
-- AUTO_CLOSE
-- MANUAL_REVIEW
-- KEEP_OPEN
-
-Rules:
-1. AUTO_CLOSE is only allowed if there is objective, hard evidence:
-   - a merged linked PR that clearly resolves the issue, or
-   - an explicit maintainer/member/owner/collaborator comment saying the issue is fixed, resolved, duplicate, or superseded
-2. If there is any contradictory later evidence, do NOT AUTO_CLOSE.
-3. If evidence is promising but not airtight, choose MANUAL_REVIEW.
-4. If the issue still appears active or unresolved, choose KEEP_OPEN.
-5. Do not invent evidence.
-6. Output valid JSON only.
-
-Maintainer-authoritative roles:
-- MEMBER
-- OWNER
-- COLLABORATOR
-
-Workarounds vs. actual fixes:
-- A WORKAROUND is when a user changes their own setup to avoid the problem (editing configs, using a different setting, manual SQL fixes, switching tools). Workarounds do NOT count as resolution — the underlying issue is still present in the product.
-- An ACTUAL FIX is when a user reports the problem went away after upgrading to a specific version (e.g., "fixed after updating to v0.65.1") or after a specific PR was merged. This suggests the fix was shipped in the product itself.
-- If only workarounds exist and no maintainer has confirmed a fix, classify as KEEP_OPEN.
-- If a user reports an actual fix via a version upgrade but no maintainer confirmed it, classify as MANUAL_REVIEW (not AUTO_CLOSE).
-
-Important:
-- Later comments outweigh earlier ones.
-- A non-maintainer saying "fixed for me" is not enough for AUTO_CLOSE.
-- If uncertain, prefer MANUAL_REVIEW or KEEP_OPEN.

.github/issue-resolution/schemas/issue-resolution-output.json

@@ -1,80 +0,0 @@
-{
-  "type": "object",
-  "additionalProperties": false,
-  "required": [
-    "decision",
-    "reason_code",
-    "confidence",
-    "hard_signals",
-    "contradictions",
-    "summary",
-    "close_comment",
-    "manual_review_note"
-  ],
-  "properties": {
-    "decision": {
-      "type": "string",
-      "enum": ["AUTO_CLOSE", "MANUAL_REVIEW", "KEEP_OPEN"]
-    },
-    "reason_code": {
-      "type": "string",
-      "enum": [
-        "resolved_by_merged_pr",
-        "maintainer_confirmed_resolved",
-        "duplicate_confirmed",
-        "superseded_confirmed",
-        "likely_fixed_but_unconfirmed",
-        "still_open",
-        "unclear"
-      ]
-    },
-    "confidence": {
-      "type": "number",
-      "minimum": 0,
-      "maximum": 1
-    },
-    "hard_signals": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "additionalProperties": false,
-        "required": ["type", "url"],
-        "properties": {
-          "type": {
-            "type": "string",
-            "enum": [
-              "merged_pr",
-              "maintainer_comment",
-              "duplicate_reference",
-              "superseded_reference"
-            ]
-          },
-          "url": { "type": "string" }
-        }
-      }
-    },
-    "contradictions": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "additionalProperties": false,
-        "required": ["type", "url"],
-        "properties": {
-          "type": {
-            "type": "string",
-            "enum": [
-              "reporter_still_broken",
-              "later_unresolved_comment",
-              "ambiguous_pr_link",
-              "other"
-            ]
-          },
-          "url": { "type": "string" }
-        }
-      }
-    },
-    "summary": { "type": "string" },
-    "close_comment": { "type": "string" },
-    "manual_review_note": { "type": "string" }
-  }
-}

.github/issue-resolution/scripts/apply-decisions.mjs

@@ -1,155 +0,0 @@
-import fs from "node:fs/promises";
-
-const decisions = JSON.parse(await fs.readFile("decisions.json", "utf8"));
-const dryRun = String(process.env.DRY_RUN).toLowerCase() === "true";
-
-const headers = {
-  Authorization: `Bearer ${process.env.GH_TOKEN}`,
-  Accept: "application/vnd.github+json",
-  "X-GitHub-Api-Version": "2022-11-28",
-};
-
-async function rest(url, method = "GET", body) {
-  const res = await fetch(url, {
-    method,
-    headers,
-    body: body ? JSON.stringify(body) : undefined
-  });
-  if (!res.ok) throw new Error(`${res.status} ${url}: ${await res.text()}`);
-  return res.status === 204 ? null : res.json();
-}
-
-async function graphql(query, variables) {
-  const res = await fetch("https://api.github.com/graphql", {
-    method: "POST",
-    headers,
-    body: JSON.stringify({ query, variables })
-  });
-  if (!res.ok) throw new Error(`${res.status}: ${await res.text()}`);
-  const json = await res.json();
-  if (json.errors) throw new Error(JSON.stringify(json.errors));
-  return json.data;
-}
-
-async function addLabel(owner, repo, issueNumber, labels) {
-  return rest(
-    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}/labels`,
-    "POST",
-    { labels }
-  );
-}
-
-async function addComment(owner, repo, issueNumber, body) {
-  return rest(
-    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}/comments`,
-    "POST",
-    { body }
-  );
-}
-
-async function closeIssue(owner, repo, issueNumber) {
-  return rest(
-    `https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}`,
-    "PATCH",
-    { state: "closed", state_reason: "completed" }
-  );
-}
-
-async function getIssueNodeId(owner, repo, issueNumber) {
-  const issue = await rest(`https://api.github.com/repos/${owner}/${repo}/issues/${issueNumber}`);
-  return issue.node_id;
-}
-
-async function addToProject(issueNodeId) {
-  const mutation = `
-    mutation($projectId: ID!, $contentId: ID!) {
-      addProjectV2ItemById(input: {projectId: $projectId, contentId: $contentId}) {
-        item { id }
-      }
-    }
-  `;
-
-  try {
-    const data = await graphql(mutation, {
-      projectId: process.env.PROJECT_ID,
-      contentId: issueNodeId
-    });
-    return data.addProjectV2ItemById.item.id;
-  } catch (err) {
-    console.warn(`[WARN] Could not add to project (needs PAT with project scope): ${err.message}`);
-    return null;
-  }
-}
-
-async function setTextField(itemId, fieldId, value) {
-  const mutation = `
-    mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $value: String!) {
-      updateProjectV2ItemFieldValue(input: {
-        projectId: $projectId,
-        itemId: $itemId,
-        fieldId: $fieldId,
-        value: { text: $value }
-      }) {
-        projectV2Item { id }
-      }
-    }
-  `;
-
-  return graphql(mutation, {
-    projectId: process.env.PROJECT_ID,
-    itemId,
-    fieldId,
-    value
-  });
-}
-
-for (const d of decisions) {
-  const [owner, repo] = d.repository.split("/");
-
-  if (dryRun) {
-    console.log(`[DRY RUN] #${d.issue_number} → ${d.final_decision} (confidence: ${d.model.confidence}, reason: ${d.model.reason_code})`);
-    continue;
-  }
-
-  if (d.final_decision === "AUTO_CLOSE") {
-    await addLabel(owner, repo, d.issue_number, ["auto-closed-resolved"]);
-    await addComment(owner, repo, d.issue_number, d.model.close_comment);
-    await closeIssue(owner, repo, d.issue_number);
-  }
-
-  if (d.final_decision === "MANUAL_REVIEW") {
-    await addLabel(owner, repo, d.issue_number, ["resolution-candidate"]);
-
-    const issueNodeId = await getIssueNodeId(owner, repo, d.issue_number);
-    const itemId = await addToProject(issueNodeId);
-
-    if (itemId) {
-      if (process.env.PROJECT_CONFIDENCE_FIELD_ID) {
-        await setTextField(itemId, process.env.PROJECT_CONFIDENCE_FIELD_ID, String(d.model.confidence));
-      }
-      if (process.env.PROJECT_REASON_FIELD_ID) {
-        await setTextField(itemId, process.env.PROJECT_REASON_FIELD_ID, d.model.reason_code);
-      }
-      if (process.env.PROJECT_EVIDENCE_FIELD_ID) {
-        await setTextField(itemId, process.env.PROJECT_EVIDENCE_FIELD_ID, d.issue_url);
-      }
-      if (process.env.PROJECT_LINKED_PR_FIELD_ID) {
-        const linked = (d.model.hard_signals || []).map(x => x.url).join(", ");
-        if (linked) {
-          await setTextField(itemId, process.env.PROJECT_LINKED_PR_FIELD_ID, linked);
-        }
-      }
-      if (process.env.PROJECT_REPO_FIELD_ID) {
-        await setTextField(itemId, process.env.PROJECT_REPO_FIELD_ID, d.repository);
-      }
-    }
-
-    await addComment(
-      owner,
-      repo,
-      d.issue_number,
-      d.model.manual_review_note ||
-        "This issue looks like a possible resolution candidate, but not with enough certainty for automatic closure. Added to the review queue."
-    );
-  }
-}

.github/issue-resolution/scripts/classify-candidates.mjs

@@ -1,244 +0,0 @@
-import fs from "node:fs/promises";
-
-const candidates = JSON.parse(await fs.readFile("candidates.json", "utf8"));
-const systemPrompt = await fs.readFile("prompts/issue-resolution-system.txt", "utf8");
-const outputSchema = JSON.parse(await fs.readFile("schemas/issue-resolution-output.json", "utf8"));
-
-function isMaintainerRole(role) {
-  return ["MEMBER", "OWNER", "COLLABORATOR"].includes(role || "");
-}
-
-function preScore(candidate) {
-  let score = 0;
-  const hardSignals = [];
-  const contradictions = [];
-
-  for (const t of candidate.timeline) {
-    const sourceIssue = t.source?.issue;
-
-    if (t.event === "cross-referenced" && sourceIssue?.pull_request?.html_url) {
-      hardSignals.push({
-        type: "merged_pr",
-        url: sourceIssue.html_url
-      });
-      score += 40; // provisional until PR merged state is verified
-    }
-
-    if (["referenced", "connected"].includes(t.event)) {
-      score += 10;
-    }
-  }
-
-  for (const c of candidate.comments) {
-    const body = c.body.toLowerCase();
-
-    if (
-      isMaintainerRole(c.author_association) &&
-      /\b(fixed|resolved|duplicate|superseded|closing)\b/.test(body)
-    ) {
-      score += 25;
-      hardSignals.push({
-        type: "maintainer_comment",
-        url: c.html_url
-      });
-    }
-
-    if (/\b(still broken|still happening|not fixed|reproducible)\b/.test(body)) {
-      score -= 50;
-      contradictions.push({
-        type: "later_unresolved_comment",
-        url: c.html_url
-      });
-    }
-  }
-
-  return { score, hardSignals, contradictions };
-}
-
-// GitHub Models gpt-4o has an 8000 token input limit.
-// Reserve ~2000 tokens for system prompt + response overhead.
-// 1 token ~= 4 chars, so cap user message at ~24000 chars.
-const MAX_USER_MESSAGE_CHARS = 24000;
-
-function truncate(text, maxChars) {
-  if (text.length <= maxChars) return text;
-  return text.slice(0, maxChars) + "\n\n[... truncated due to length]";
-}
-
-function buildUserMessage(candidate) {
-  const { issue, comments, timeline } = candidate;
-
-  const commentBlock = comments
-    .map((c) => `[${c.author_association}] ${c.user} (${c.created_at}):\n${c.body}`)
-    .join("\n---\n");
-
-  const timelineBlock = timeline
-    .filter((t) => ["cross-referenced", "referenced", "connected", "closed", "reopened"].includes(t.event))
-    .map((t) => {
-      let line = `${t.event} (${t.created_at})`;
-      if (t.source?.issue?.html_url) line += ` — ${t.source.issue.html_url}`;
-      if (t.source?.issue?.pull_request?.html_url) line += ` (PR: ${t.source.issue.pull_request.html_url})`;
-      return line;
-    })
-    .join("\n");
-
-  const msg = [
-    `## Issue #${issue.number}: ${issue.title}`,
-    `URL: ${issue.html_url}`,
-    `Created: ${issue.created_at} | Updated: ${issue.updated_at}`,
-    `Labels: ${issue.labels.join(", ") || "none"}`,
-    "",
-    "### Body",
-    truncate(issue.body || "(empty)", 4000),
-    "",
-    "### Comments",
-    commentBlock || "(none)",
-    "",
-    "### Timeline events",
-    timelineBlock || "(none)",
-  ].join("\n");
-
-  return truncate(msg, MAX_USER_MESSAGE_CHARS);
-}
-
-const MODEL = "gpt-4o-mini";
-const MAX_RETRIES = 5;
-
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-async function callGitHubModel(candidate) {
-  const body = JSON.stringify({
-    model: MODEL,
-    messages: [
-      { role: "system", content: systemPrompt },
-      { role: "user", content: buildUserMessage(candidate) },
-    ],
-    response_format: {
-      type: "json_schema",
-      json_schema: {
-        name: "issue_resolution",
-        strict: true,
-        schema: outputSchema,
-      },
-    },
-    temperature: 0.1,
-  });
-
-  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
-    const res = await fetch("https://models.inference.ai.azure.com/chat/completions", {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${process.env.GH_TOKEN}`,
-        "Content-Type": "application/json",
-      },
-      body,
-    });
-
-    if (res.status === 429) {
-      const retryAfter = Number(res.headers.get("retry-after")) || 30;
-      if (retryAfter > 120) {
-        console.warn(`  [QUOTA EXHAUSTED] API wants ${retryAfter}s wait — skipping remaining issues.`);
-        return null;
-      }
-      console.warn(`  [RATE LIMITED] Waiting ${retryAfter}s (attempt ${attempt + 1}/${MAX_RETRIES})...`);
-      await sleep(retryAfter * 1000);
-      continue;
-    }
-
-    if (!res.ok) {
-      const text = await res.text();
-      throw new Error(`GitHub Models ${res.status}: ${text}`);
-    }
-
-    const data = await res.json();
-    return JSON.parse(data.choices[0].message.content);
-  }
-
-  throw new Error(`GitHub Models: exceeded ${MAX_RETRIES} retries due to rate limiting`);
-}
-
-function enforcePolicy(modelOut, pre) {
-  const approvedReasons = new Set([
-    "resolved_by_merged_pr",
-    "maintainer_confirmed_resolved",
-    "duplicate_confirmed",
-    "superseded_confirmed"
-  ]);
-
-  const hasHardSignal =
-    (modelOut.hard_signals || []).some(s =>
-      ["merged_pr", "maintainer_comment", "duplicate_reference", "superseded_reference"].includes(s.type)
-    ) || pre.hardSignals.length > 0;
-
-  const hasContradiction =
-    (modelOut.contradictions || []).length > 0 || pre.contradictions.length > 0;
-
-  if (
-    modelOut.decision === "AUTO_CLOSE" &&
-    modelOut.confidence >= 0.97 &&
-    approvedReasons.has(modelOut.reason_code) &&
-    hasHardSignal &&
-    !hasContradiction
-  ) {
-    return "AUTO_CLOSE";
-  }
-
-  if (modelOut.decision === "KEEP_OPEN" && pre.score < 25) {
-    return "KEEP_OPEN";
-  }
-
-  if (
-    modelOut.decision === "MANUAL_REVIEW" ||
-    modelOut.decision === "AUTO_CLOSE" ||
-    pre.score >= 25
-  ) {
-    return "MANUAL_REVIEW";
-  }
-
-  return "KEEP_OPEN";
-}
-
-console.log(`Classifying ${candidates.length} candidates with ${MODEL}...\n`);
-
-// 15 req/min limit → 1 request every 4s. Use 4.5s for safety margin.
-const PACE_MS = 4500;
-let lastRequestTime = 0;
-
-async function paced(fn) {
-  const elapsed = Date.now() - lastRequestTime;
-  if (elapsed < PACE_MS) await sleep(PACE_MS - elapsed);
-  lastRequestTime = Date.now();
-  return fn();
-}
-
-const decisions = [];
-for (const candidate of candidates) {
-  const pre = preScore(candidate);
-  const modelOut = await paced(() => callGitHubModel(candidate));
-
-  if (modelOut === null) {
-    console.warn(`\nQuota exhausted after ${decisions.length} issues. Writing partial results.`);
-    break;
-  }
-
-  const finalDecision = enforcePolicy(modelOut, pre);
-
-  decisions.push({
-    repository: candidate.repository,
-    issue_number: candidate.issue.number,
-    issue_url: candidate.issue.html_url,
-    title: candidate.issue.title,
-    pre_score: pre.score,
-    final_decision: finalDecision,
-    model: modelOut
-  });
-
-  console.log(
-    `#${candidate.issue.number} | pre_score: ${pre.score} | model: ${modelOut.decision} @ ${modelOut.confidence} | final: ${finalDecision} | ${modelOut.reason_code}`
-  );
-}
-
-await fs.writeFile("decisions.json", JSON.stringify(decisions, null, 2));
-console.log(`\nWrote ${decisions.length} decisions to decisions.json`);

.github/issue-resolution/scripts/fetch-candidates.mjs

@@ -1,89 +0,0 @@
-import fs from "node:fs/promises";
-
-const token = process.env.GH_TOKEN;
-const repo = process.env.REPO; // "owner/repo"
-const maxIssues = Number(process.env.MAX_ISSUES) || 100;
-
-const headers = {
-  Authorization: `Bearer ${token}`,
-  Accept: "application/vnd.github+json",
-  "X-GitHub-Api-Version": "2022-11-28",
-};
-
-async function rest(url) {
-  const res = await fetch(url, { headers });
-  if (!res.ok) throw new Error(`${res.status} ${url}: ${await res.text()}`);
-  return res.json();
-}
-
-async function paginate(url, max) {
-  const items = [];
-  let page = 1;
-  while (items.length < max) {
-    const perPage = Math.min(100, max - items.length);
-    const sep = url.includes("?") ? "&" : "?";
-    const batch = await rest(`${url}${sep}per_page=${perPage}&page=${page}`);
-    if (!batch.length) break;
-    items.push(...batch);
-    page++;
-  }
-  return items.slice(0, max);
-}
-
-console.log(`Fetching up to ${maxIssues} open issues from ${repo}...`);
-
-const issues = await paginate(
-  `https://api.github.com/repos/${repo}/issues?state=open&sort=updated&direction=desc`,
-  maxIssues
-);
-
-// Filter out pull requests (GitHub API returns PRs as issues too)
-const realIssues = issues.filter((i) => !i.pull_request);
-console.log(`Found ${realIssues.length} open issues (excluded PRs).`);
-
-const candidates = [];
-for (const issue of realIssues) {
-  const [comments, timeline] = await Promise.all([
-    rest(`https://api.github.com/repos/${repo}/issues/${issue.number}/comments?per_page=100`),
-    rest(`https://api.github.com/repos/${repo}/issues/${issue.number}/timeline?per_page=100`),
-  ]);
-
-  candidates.push({
-    repository: repo,
-    issue: {
-      number: issue.number,
-      html_url: issue.html_url,
-      title: issue.title,
-      body: issue.body,
-      created_at: issue.created_at,
-      updated_at: issue.updated_at,
-      labels: issue.labels.map((l) => l.name),
-    },
-    comments: comments.map((c) => ({
-      body: c.body,
-      author_association: c.author_association,
-      html_url: c.html_url,
-      created_at: c.created_at,
-      user: c.user?.login,
-    })),
-    timeline: timeline.map((t) => ({
-      event: t.event,
-      created_at: t.created_at,
-      source: t.source
-        ? {
-            issue: {
-              html_url: t.source.issue?.html_url,
-              pull_request: t.source.issue?.pull_request
-                ? { html_url: t.source.issue.pull_request.html_url }
-                : undefined,
-            },
-          }
-        : undefined,
-    })),
-  });
-
-  console.log(`  #${issue.number} — ${comments.length} comments, ${timeline.length} timeline events`);
-}
-
-await fs.writeFile("candidates.json", JSON.stringify(candidates, null, 2));
-console.log(`Wrote ${candidates.length} candidates to candidates.json`);

.github/workflows/issue-resolution-triage.yml

@@ -1,64 +0,0 @@
-name: issue-resolution-triage
-
-on:
-  push:
-    branches: [github-issue-resolver]
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "If true, do not close issues"
-        required: false
-        default: "true"
-      max_issues:
-        description: "How many issues to process"
-        required: false
-        default: "100"
-  schedule:
-    - cron: "17 2 * * *"
-
-permissions:
-  contents: read
-  issues: write
-  pull-requests: read
-  models: read
-
-#  todo: remove hardcoded values
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      DRY_RUN: "true"
-      MAX_ISSUES: "100"
-      REPO: ${{ github.repository }}
-      PROJECT_ID: "PVT_kwDOBfz4Jc4BVeWR"
-      PROJECT_STATUS_FIELD_ID: "PVTSSF_lADOBfz4Jc4BVeWRzhQ56sU"
-      PROJECT_CONFIDENCE_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ57x4"
-      PROJECT_REASON_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ5-Lg"
-      PROJECT_EVIDENCE_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ5-Pw"
-      PROJECT_LINKED_PR_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ56sc"
-      PROJECT_REPO_FIELD_ID: "PVTF_lADOBfz4Jc4BVeWRzhQ56sk"
-      PROJECT_STATUS_OPTION_NEEDS_REVIEW_ID: "a55a2be9"
-
-    defaults:
-      run:
-        working-directory: .github/issue-resolution
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-
-      - run: node scripts/fetch-candidates.mjs
-      - run: node scripts/classify-candidates.mjs
-      - run: node scripts/apply-decisions.mjs
-
-      - uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: triage-results
-          path: |
-            .github/issue-resolution/candidates.json
-            .github/issue-resolution/decisions.json

.github/workflows/release.yml

@@ -115,6 +115,12 @@ jobs:
 
   release:
     runs-on: ubuntu-latest-m
+    outputs:
+      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
+      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
+      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
+      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
+      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
     env:
       flags: ""
     steps:
@@ -213,10 +219,13 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: Tag and push images (amd64 only)
+        id: tag_and_push_images
         if: |
           (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
           (github.event_name == 'push' && github.ref == 'refs/heads/main')
         run: |
+          set -euo pipefail
+
           resolve_tags() {
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "pr-${{ github.event.pull_request.number }}"
@@ -225,6 +234,17 @@ jobs:
             fi
           }
 
+          ghcr_package_url() {
+            local image="$1" package encoded_package
+            package="${image#ghcr.io/}"
+            package="${package#*/}"
+            package="${package%%:*}"
+            encoded_package="${package//\//%2F}"
+            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
+          }
+
+          image_refs=()
+
           tag_and_push() {
             local src="$1" img_name tag dst
             img_name="${src%%:*}"
@@ -233,35 +253,56 @@ jobs:
               echo "Tagging ${src} -> ${dst}"
               docker tag "$src" "$dst"
               docker push "$dst"
+              image_refs+=("$dst")
             done
           }
 
-          export -f tag_and_push resolve_tags
+          cat > /tmp/goreleaser-artifacts.json <<'JSON'
+          ${{ steps.goreleaser.outputs.artifacts }}
+          JSON
 
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              tag_and_push "$SRC"
-            done
+          mapfile -t src_images < <(
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
+          )
+
+          for src in "${src_images[@]}"; do
+            tag_and_push "$src"
+          done
+
+          {
+            echo "images_markdown<<EOF"
+            if [[ ${#image_refs[@]} -eq 0 ]]; then
+              echo "_No GHCR images were pushed._"
+            else
+              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
+                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
+              done
+            fi
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
       - name: upload non tags for debug purposes
+        id: upload_release
         uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
+        id: upload_linux_packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
+        id: upload_windows_packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
+        id: upload_macos_packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
@@ -270,6 +311,8 @@ jobs:
 
   release_ui:
     runs-on: ubuntu-latest
+    outputs:
+      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Parse semver string
         id: semver_parser
@@ -360,6 +403,7 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
+        id: upload_release_ui
         uses: actions/upload-artifact@v4
         with:
           name: release-ui
@@ -368,6 +412,8 @@ jobs:
 
   release_ui_darwin:
     runs-on: macos-latest
+    outputs:
+      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -402,12 +448,110 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
+        id: upload_release_ui_darwin
         uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
           retention-days: 3
 
+  comment_release_artifacts:
+    name: Comment release artifacts
+    runs-on: ubuntu-latest
+    needs: [release, release_ui, release_ui_darwin]
+    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Create or update PR comment
+        uses: actions/github-script@v7
+        env:
+          RELEASE_RESULT: ${{ needs.release.result }}
+          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
+          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
+          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
+          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
+          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
+          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
+          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
+          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
+          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const marker = '<!-- netbird-release-artifacts -->';
+            const { owner, repo } = context.repo;
+            const issue_number = context.payload.pull_request.number;
+            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
+            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
+
+            const artifactCell = (url, result) => {
+              if (url) return `[Download](${url})`;
+              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
+            };
+
+            const artifacts = [
+              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
+              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
+              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
+            ];
+
+            const artifactRows = artifacts
+              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
+              .join('\n');
+
+            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
+
+            const body = [
+              marker,
+              '## Release artifacts',
+              '',
+              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
+              '',
+              '| Artifact | Link |',
+              '| --- | --- |',
+              artifactRows,
+              '',
+              '### GHCR images (amd64)',
+              ghcrImages,
+              '',
+              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
+            ].join('\n');
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner,
+              repo,
+              issue_number,
+              per_page: 100,
+            });
+
+            const previous = comments.find(comment =>
+              comment.user?.type === 'Bot' && comment.body?.includes(marker)
+            );
+
+            if (previous) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: previous.id,
+                body,
+              });
+              core.info(`Updated release artifacts comment ${previous.id}`);
+            } else {
+              const { data } = await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body,
+              });
+              core.info(`Created release artifacts comment ${data.id}`);
+            }
+
   trigger_signer:
     runs-on: ubuntu-latest
     needs: [release, release_ui, release_ui_darwin]