From 400a6c709a416626370e578b0d0cea96da60d8fb Mon Sep 17 00:00:00 2001
From: "Hugo P.Brito" <hugopbrit@gmail.com>
Date: Tue, 16 Jun 2026 15:15:00 +0200
Subject: [PATCH 1/3] ci: add release freeze gate

- Add a PR and merge queue gate for master

- Block merges when RELEASE_FREEZE is enabled
---
 .github/workflows/release-freeze-gate.yml | 40 +++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/release-freeze-gate.yml

diff --git a/.github/workflows/release-freeze-gate.yml b/.github/workflows/release-freeze-gate.yml
new file mode 100644
index 0000000000..721a1f50b8
--- /dev/null
+++ b/.github/workflows/release-freeze-gate.yml
@@ -0,0 +1,40 @@
+name: 'Tools: Release Freeze Gate'
+
+on:
+  pull_request:
+    branches:
+      - 'master'
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+  merge_group:
+    branches:
+      - 'master'
+    types:
+      - checks_requested
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  release-freeze-gate:
+    name: Release Freeze Gate
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Check release freeze status
+        env:
+          RELEASE_FREEZE: ${{ vars.RELEASE_FREEZE }}
+        run: |
+          case "${RELEASE_FREEZE}" in
+            true|TRUE|True)
+              echo "::error::Release freeze is active. Merges to master are temporarily blocked."
+              echo "Set the RELEASE_FREEZE repository variable to false when the release is complete."
+              exit 1
+              ;;
+            *)
+              echo "Release freeze is not active."
+              ;;
+          esac

From 329900d8b5b6b37295871f1fbb38411789cd8626 Mon Sep 17 00:00:00 2001
From: "Hugo P.Brito" <hugopbrit@gmail.com>
Date: Thu, 18 Jun 2026 09:01:12 +0100
Subject: [PATCH 2/3] ci: align release freeze gate context

---
 .github/workflows/release-freeze-gate.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-freeze-gate.yml b/.github/workflows/release-freeze-gate.yml
index 721a1f50b8..dd060f0f9c 100644
--- a/.github/workflows/release-freeze-gate.yml
+++ b/.github/workflows/release-freeze-gate.yml
@@ -20,7 +20,7 @@ permissions: {}
 
 jobs:
   release-freeze-gate:
-    name: Release Freeze Gate
+    name: release-freeze-gate
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:

From b94e3cfbc0edf3f753d948f63ecbeb7476295cf2 Mon Sep 17 00:00:00 2001
From: "Hugo P.Brito" <hugopbrit@gmail.com>
Date: Thu, 18 Jun 2026 09:23:42 +0100
Subject: [PATCH 3/3] ci: enable release freeze during preparation

---
 .github/workflows/prepare-release.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index ca324aa006..27349bba6f 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -25,6 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
+      actions: write
       contents: write
       pull-requests: write
     steps:
@@ -33,6 +34,12 @@ jobs:
       with:
         egress-policy: audit
 
+    - name: Enable release freeze
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        gh variable set RELEASE_FREEZE --body true --repo "${GITHUB_REPOSITORY}"
+
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with: