Skip to content

fix: make release workflow compatible with branch protection #1260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 1 commit into from
Mar 12, 2026
Merged

fix: make release workflow compatible with branch protection #1260

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,35 @@ jobs:
- name: Bump version
id: bump
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

# npm version creates a commit and tag (e.g., "v0.21.0")
# Derive current version from git tags (authoritative source),
# not package.json which may be stale on main since we can't
# push version-bump commits to protected branches.
LATEST_TAG=$(git tag --sort=-version:refname | grep '^v[0-9]' | head -n1 || echo "v0.0.0")
Copy link

Copilot AI Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LATEST_TAG is derived from all repository tags. Since this workflow explicitly allows running on maintenance branches (v*.x), this can pick a newer tag from another release line (e.g., main), causing the maintenance branch release to bump from the wrong base version. Consider restricting the tag selection to tags reachable from the current HEAD (e.g., only tags merged into this branch) and/or filtering to the branch’s version series.

Suggested change
LATEST_TAG=$(git tag --sort=-version:refname | grep '^v[0-9]' | head -n1 || echo "v0.0.0")
BRANCH_REF="${GITHUB_REF#refs/heads/}"
if [[ "$BRANCH_REF" == "main" ]]; then
TAG_PATTERN='^v[0-9]'
elif [[ "$BRANCH_REF" =~ ^v([0-9]+)\.x$ ]]; then
SERIES="${BASH_REMATCH[1]}"
TAG_PATTERN="^v${SERIES}\."
else
echo "::error::Unsupported release branch: $BRANCH_REF"
exit 1
fi
# Only consider tags reachable from the current HEAD and matching the branch's version series
LATEST_TAG=$(git tag --merged HEAD --sort=-version:refname | grep -E "$TAG_PATTERN" | head -n1 || echo "v0.0.0")

Copilot uses AI. Check for mistakes.
LATEST_VERSION=${LATEST_TAG#v}
echo "Latest version from git tags: $LATEST_VERSION"

# Sync package.json to latest tag version before bumping
npm version "$LATEST_VERSION" --no-git-tag-version --allow-same-version

# Bump to next version
npm version ${{ inputs.bump }} --no-git-tag-version
VERSION=$(node -p "require('./package.json').version")

# Check if this tag already exists (idempotent retry support)
if git rev-parse "v$VERSION" >/dev/null 2>&1; then
echo "Tag v$VERSION already exists, reusing it"
echo "version=v$VERSION" >> $GITHUB_OUTPUT
echo "version_number=$VERSION" >> $GITHUB_OUTPUT
exit 0
fi

# Create a commit with the bumped version and tag it.
# Only push the tag — branch protection prevents pushing to main.
# Downstream jobs checkout by tag, so they get the correct package.json.
git add package.json package-lock.json
git commit -m "$VERSION"
git tag "v$VERSION"
Expand Down
Loading