fix: make release workflow compatible with branch protection#1260
fix: make release workflow compatible with branch protection#1260
Conversation
The release workflow failed because branch protection rules block direct pushes to main. This fix: 1. Derives version from git tags instead of package.json (which may be stale since we can't push version-bump commits to main) 2. Only pushes the tag, not the commit to main 3. Handles idempotent retries when a tag already exists from a previous partial run Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
There was a problem hiding this comment.
Pull request overview
Updates the release GitHub Actions workflow to work with protected branches by treating git tags as the source of truth for versioning, pushing only the release tag (not a version-bump commit to the protected branch), and allowing retries when a tag already exists.
Changes:
- Derive the “current” version from existing git tags instead of
package.json. - Create a local version-bump commit, tag it, and push only the tag (so branch protection doesn’t block the release).
- Add idempotent behavior to reuse an existing release tag on retry.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Derive current version from git tags (authoritative source), | ||
| # not package.json which may be stale on main since we can't | ||
| # push version-bump commits to protected branches. | ||
| LATEST_TAG=$(git tag --sort=-version:refname | grep '^v[0-9]' | head -n1 || echo "v0.0.0") |
There was a problem hiding this comment.
LATEST_TAG is derived from all repository tags. Since this workflow explicitly allows running on maintenance branches (v*.x), this can pick a newer tag from another release line (e.g., main), causing the maintenance branch release to bump from the wrong base version. Consider restricting the tag selection to tags reachable from the current HEAD (e.g., only tags merged into this branch) and/or filtering to the branch’s version series.
| LATEST_TAG=$(git tag --sort=-version:refname | grep '^v[0-9]' | head -n1 || echo "v0.0.0") | |
| BRANCH_REF="${GITHUB_REF#refs/heads/}" | |
| if [[ "$BRANCH_REF" == "main" ]]; then | |
| TAG_PATTERN='^v[0-9]' | |
| elif [[ "$BRANCH_REF" =~ ^v([0-9]+)\.x$ ]]; then | |
| SERIES="${BASH_REMATCH[1]}" | |
| TAG_PATTERN="^v${SERIES}\." | |
| else | |
| echo "::error::Unsupported release branch: $BRANCH_REF" | |
| exit 1 | |
| fi | |
| # Only consider tags reachable from the current HEAD and matching the branch's version series | |
| LATEST_TAG=$(git tag --merged HEAD --sort=-version:refname | grep -E "$TAG_PATTERN" | head -n1 || echo "v0.0.0") |
Smoke Test Results ✅ PASS
|
Smoke Test Results✅ GitHub MCP: #1258 fix: push only tag in release workflow | #1249 feat(proxy): add --openai-api-target and --anthropic-api-target flags Overall: PASS
|
|
fix: push only tag in release workflow to avoid branch protection violation | feat(proxy): add --openai-api-target and --anthropic-api-target flags
|
Summary
maingit push origin HEAD --tags(later changed togit push origin "v$VERSION") fails because branch protection blocks direct pushes, butpackage.jsonon main becomes stale without the version bump commitv0.23.2but the step failed; subsequent retries fail with "tag already exists"Fix
package.json— git tags are authoritative,package.jsonon main may be stale since we can't push version-bump commitspackage.json, downstream jobs checkout by tag refTest plan
v0.23.2tag:git push origin :refs/tags/v0.23.2minorbump🤖 Generated with Claude Code