Skip to content

Guard cli-post-release on cli-release success for the same tag#2854

Merged
mikeland73 merged 2 commits into
mainfrom
mikeland73/guard-post-release
Jun 21, 2026
Merged

Guard cli-post-release on cli-release success for the same tag#2854
mikeland73 merged 2 commits into
mainfrom
mikeland73/guard-post-release

Conversation

@mikeland73

@mikeland73 mikeland73 commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

What

cli-post-release runs on the GitHub release: [released] event and promotes the tag to stable in S3. That event can fire even when cli-release failed partway (or a release was published by other means), which would promote a broken build.

This adds a check-release gate job (which publish now needs:) that waits for the cli-release workflow run for the same commit to finish and fails if it did not succeed, using int128/wait-for-workflows-action.

Notes

  • sha: ${{ github.sha }} — on the release event this is the tag's commit, matching the SHA cli-release ran on.
  • filter-workflow-events: push — overrides the action's default (current event = release); cli-release is triggered by the tag push.
  • filter-workflow-names: cli-release — waits only on that workflow.

The common case (tests fail → release job skipped → no release published) already never fires the event; this guard covers the partial-failure / externally-published edge cases.

🤖 Generated with Claude Code

@mikeland73 @claude
Guard cli-post-release on cli-release success for the same tag
bccffe5 
cli-post-release runs on the `released` event and promotes the tag to
stable in S3. That event can fire even when cli-release failed partway
(or a release is published by other means), so gate the publish job on a
check that the cli-release workflow for the same commit actually
succeeded, using int128/wait-for-workflows-action.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mikeland73 mikeland73 requested review from Lagoja and Copilot and removed request for Copilot June 7, 2026 19:30
@mikeland73 mikeland73 requested a review from Copilot June 21, 2026 17:42
Copilot AI reviewed Jun 21, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a safety gate to cli-post-release so it only promotes a release tag to stable after confirming the corresponding cli-release workflow run for the same commit succeeded, preventing promotion of partially failed or externally published releases.

Changes:

  • Introduces a new check-release job that waits for the cli-release workflow run matching the release tag’s commit SHA.
  • Makes the existing publish job depend on check-release via needs: so promotion is blocked on failure.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/cli-post-release.yml
@mikeland73
Potential fix for pull request finding
12d7e32 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Mike Landau <mikeland86@gmail.com>
@mikeland73 mikeland73 merged commit 9dad286 into main Jun 21, 2026
6 checks passed
@mikeland73 mikeland73 deleted the mikeland73/guard-post-release branch June 21, 2026 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Lagoja Lagoja Awaiting requested review from Lagoja

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mikeland73