Skip to content

ci: add workflow_dispatch release trigger #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abizer merged 1 commit into from
May 6, 2026
Merged

ci: add workflow_dispatch release trigger #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
bump:
description: "Version bump"
type: choice
options: [patch, minor, major]
default: patch

permissions:
contents: write
Expand All @@ -19,6 +26,27 @@ jobs:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Bump and push tag
if: github.event_name == 'workflow_dispatch'
run: |
set -euo pipefail
if [ "${GITHUB_REF}" != "refs/heads/master" ]; then
echo "workflow_dispatch must run from master (got ${GITHUB_REF})" >&2
exit 1
Copy link
Copy Markdown

@cursor cursor Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Branch guard runs too late

Medium Severity

workflow_dispatch on a non-master ref still reaches the reusable test job before this guard runs. Because the workflow grants contents: write, branch code can execute under a write-scoped checkout token even though dispatch releases are meant to be master-only.

Additional Locations (2)
Fix in Cursor Fix in Web

Triggered by team rule: abizer-code-review

Reviewed by Cursor Bugbot for commit eae184a. Configure here.

fi
git fetch --tags
latest=$(git tag --list 'v*' --sort=-v:refname | head -n1)
latest=${latest:-v0.0.0}
IFS='.' read -r major minor patch <<< "${latest#v}"
case "${{ inputs.bump }}" in
major) major=$((major+1)); minor=0; patch=0 ;;
minor) minor=$((minor+1)); patch=0 ;;
patch) patch=$((patch+1)) ;;
Copy link
Copy Markdown

@cursor cursor Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tag parsing includes prereleases

Medium Severity

git tag --list 'v*' can select prerelease or malformed v* tags, but the bump logic assumes a numeric vX.Y.Z. A latest tag like v1.2.3-rc.1 can fail arithmetic or produce the wrong next release.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit eae184a. Configure here.

esac
next="v${major}.${minor}.${patch}"
echo "Bumping ${latest} -> ${next}"
git tag "${next}"
git push origin "${next}"
Copy link
Copy Markdown

@cursor cursor Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reruns skip failed release tag

Medium Severity

The workflow_dispatch release workflow pushes a new tag before goreleaser completes. If goreleaser fails, this orphaned tag becomes the latest for subsequent runs, leading to an unintended version bump and skipping the original target.

Fix in Cursor Fix in Web

Triggered by team rule: abizer-code-review

Reviewed by Cursor Bugbot for commit eae184a. Configure here.

Copy link
Copy Markdown

@cursor cursor Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release dispatches can race

Medium Severity

workflow_dispatch has no release-level concurrency guard, so two manual runs can read the same latest tag and publish competing next versions from the same commit. Different bump inputs can both succeed, leaving duplicate releases for one HEAD.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit eae184a. Configure here.

- uses: actions/setup-go@v6
with:
go-version: "1.25"
Expand Down