Skip to content

[TT-16977] fix: goreleaser skipped on push/tag when dep-guard is skipped #8007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 15, 2026
+4 −1

fix: goreleaser skipped on push/tag when dep-guard is skipped

7f7793b
Select commit
Loading
Failed to load commit list.
Merged

[TT-16977] fix: goreleaser skipped on push/tag when dep-guard is skipped #8007

fix: goreleaser skipped on push/tag when dep-guard is skipped
7f7793b
Select commit
Loading
Failed to load commit list.
probelabs / Visor: security failed Apr 15, 2026 in 59s

🚨 Check Failed

security check failed because fail_if condition was met.

Details

📊 Summary

  • Total Issues: 2
  • Error Issues: 2

🔍 Failure Condition Results

Failed Conditions

  • global_fail_if: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
    • Severity: ❌ error

Issues by Category

Security (1)

  • .github/workflows/release.yml:42 - The if condition for the goreleaser job is insecure and logically flawed. The condition github.event.pull_request.draft == false is too broad for a job with contents: write permissions, as it could trigger on any non-draft pull request, posing a risk of unintended releases. Additionally, this condition will fail on push and tag events (where github.event.pull_request is null), meaning the intended fix to enable releases on tags will not work as the job will continue to be skipped.

Logic (1)

  • system:0 - Global failure condition met: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check failure on line 45 in .github/workflows/release.yml

See this annotation in the file changed.

@probelabs probelabs / Visor: security

security Issue 

The `if` condition for the `goreleaser` job is insecure and logically flawed. The condition `github.event.pull_request.draft == false` is too broad for a job with `contents: write` permissions, as it could trigger on any non-draft pull request, posing a risk of unintended releases. Additionally, this condition will fail on `push` and `tag` events (where `github.event.pull_request` is null), meaning the intended fix to enable releases on tags will not work as the job will continue to be skipped.
Raw output 
Strengthen the trigger condition to be more specific. A release job should only run on explicit release events, such as creating a tag that matches a version pattern. The condition should also be corrected to work for non-PR events.

Example of a more secure and correct condition:
```yaml
if: |
  !cancelled() &&
  (needs.dep-guard.result == 'success' || needs.dep-guard.result == 'skipped') &&
  (startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'pull_request' && github.event.pull_request.draft == false))
```
This will trigger the job on version tags (e.g., `v1.2.3`) and non-draft pull requests. Ensure the `goreleaser` action itself distinguishes between these events to perform a full release only on tags.
View more details on probelabs