Skip to content

Release workflows - The 4th workflow does not verify it runs against the latest RC #3290

New issue
New issue
Open
Open
Release workflows - The 4th workflow does not verify it runs against the latest RC#3290
Assignees
pingtimeout
Labels
bugSomething isn't working
@pingtimeout

Description

@pingtimeout
pingtimeout
opened on Dec 17, 2025

Describe the bug

The 4th release workflow, which publishes release artifacts, is run against a branch, as per Github Action UI. It contains a check that verifies it is running against a release/[major].[minor].x branch, but it does not contain a check that verifies it is running against the latest RC tag of that version.

So it is technically possible to add commits to the release branch after the binaries have been packaged and the vote thread has started, and misuse the publication workflow.

The consequences would be that the binaries published to Nexus and Apache dist would be those of the tag, But the Docker image would be that of the branch HEAD.

The workflow should contain a check that verifies it is running against the tag corresponding to the last RC, to prevent this from happening.

To Reproduce

No response

Actual Behavior

No response

Expected Behavior

No response

Additional context

No response

System information

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions