fix(ci): fetch-tags on tag-introspection checkouts so signed annotated tags pass#532
fix(ci): fetch-tags on tag-introspection checkouts so signed annotated tags pass#532branarakic wants to merge 1 commit into
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
The release.yml `Validate release candidate` job runs `git cat-file -t <tag>` and asserts the result is `tag` (not `commit`) to confirm the pushed ref is a signed annotated tag. Without `fetch-tags: true` on the preceding `actions/checkout`, the runner only materialises a synthetic lightweight ref pointing at the commit; `git cat-file -t` returns `commit`; and a legitimately-signed annotated tag is rejected as "lightweight, cannot carry a signature." This blocked the v10.0.0-rc.8 release push (release.yml run 25943282274) and required a manual workaround for v10.0.0-rc.9. Original PR also patched npm-publish.yml's matching gate, but that gate was removed on main by 2478f63 ("fix(ci): remove signed-tag requirement from npm-publish"). The npm-publish.yml hunk was dropped during rebase; only release.yml needs the fix now. Audit: every other actions/checkout in release.yml was reviewed and none of them depend on tag annotation (build asset jobs read .nvmrc / package.json only). No version bump (workflow-only change). Co-authored-by: Cursor <cursoragent@cursor.com>
branarakic
force-pushed
the
fix/ci-fetch-tags-on-tag-introspection
branch
from
2b93226 to
175b176
Compare
|
Rebased onto current main ( Resolution note: main has had 7 CI fixes in these files since the merge-base, including The Rebased commit: |
1 participant
Summary
The release.yml
Validate release candidatejob and the npm-publish.ymlRequire signed annotated tagjob both rely ongit cat-file -t <tag>returningtagfor annotated tags. They useactions/checkout@v4to materialise the tag, but withoutfetch-tags: true— which means the runner gets a synthetic lightweight ref pointing at the commit, not the tag-object.So
git cat-file -t v10.0.0-rc.8returnscommitinstead oftag, and the structural signed-tag gate rejects the (correctly signed) tag with:This was the failure mode on the
v10.0.0-rc.8push earlier today (release.yml run 25943282274). The tag was correctly created withgit tag -s—git ls-remoteshows it as a tag object whose^{}peels to the merge commit onmain, and the body contains the expected-----BEGIN SSH SIGNATURE-----block.Author intent is unambiguous
From
release.ymllines 100–124:The gate is supposed to PASS legitimately-signed annotated tags. The bug is purely the missing
fetch-tags: true.Change
14 lines, in two places:
release.ymlValidate release candidatecheckout (line 53–60)npm-publish.ymlRequire signed annotated tagcheckout (line 226–230)Both gain
fetch-tags: trueplus a 6-line comment explaining why the option matters.No version bump (workflow-only change). No test changes (these are CI gates that fire only on tag pushes).
Other checkouts in these workflows
Audited:
release.ymlline 281 (Build MarkItDown binary): doesn't read tag annotation, no change needed.release.ymlline 428 (Build, test, and create release): uses--notes-file release_notes.md(sourced fromCHANGELOG.md), not the tag annotation; doesn't needfetch-tags.npm-publish.ymlline 284 (build-and-pack): only reads.nvmrcandpackage.json; doesn't needfetch-tags.So the minimal correct fix is exactly these two checkouts.
Test plan
.github/workflows/)package.jsonversions touchedactions/checkoutin both workflows for the same bugv10.0.0-rc.8(local + remote), re-tag against newmainHEAD, push → release.yml passes structural gate → reviewer approvesnpm-publishEnvironment → publish completesWhy this didn't fire before
v10.0.0-rc.7and earlier went through the OLD continuous-publish-on-merge flow. PR #522 introduced the new tag-triggered flow with this signed-tag gate, andv10.0.0-rc.8is the first tag pushed under it — first time the bug was exercised.Made with Cursor