Release process and tooling improvements

[mtojek]

Incident: workspace agent manifest exposure — Follow-ups

Summary

This issue tracks required follow-up actions related to the workspace agent manifest exposure incident.

---

Release Ownership

• Add an additional release maintainer/admin in the EU timezone.
• Ensure that any engineer can perform a release in case of an emergency, without relying on a single maintainer.

---

Cherry-pick Process

• The current cherry-pick workflow is unclear.
• Example: PR #20909 was not included despite having the required labels.
• Historically, engineers applied labels to original PRs and the release manager cherry-picked them before a release.
• The current expectation is that engineers create separate cherry-pick PRs and ensure they are merged into the appropriate release branch.
• Documentation and communication of this updated process need to be improved.

---

Release Script Requirements

Updates needed for the release script:

• Support for non-stable/non-mainline targets.
• Always set CODER_IGNORE_MISSING_COMMIT_METADATA=1.
• Add a draft release option.
• Use a more powerful runner to reduce release time.
• Add a flag to indicate whether the release is “latest” (or set automatically when using --stable).
• Require tag signing.
• Improve performance, current scripts take ~20 minutes per release, which is too slow.

[mtojek]

Assigning @david-fraley for now to validate the scope and action times. Once 👍 we will have to find an engineer.