Release v2.15.3 — revert CI dedup, restore strict tag validation

idemerge · claude · idemerge · commit c83e2d796796 · 2026-05-15T06:39:23.000Z
v2.15.2 skipped the quality job on tag pushes to avoid running CI twice per release. That left a security gap: a tag pointing at an unvalidated commit (e.g. `git tag v9.9.9 some-sha` directly) would trigger a Docker push without going through type check, lint, or tests. Trade CI time for safety. Each release now runs quality twice (~1m each) but guarantees Docker images are only built from validated commits. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,9 +9,6 @@ on:
 
 jobs:
   quality:
-    # Skip on tag pushes — the same commit was already validated when it landed on main.
-    # Without this guard, every release runs CI twice (once for branch push, once for tag push).
-    if: github.event_name != 'push' || !startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -119,9 +116,9 @@ jobs:
             exit 1
           }
 
-  # Docker publish — only on version tags. Quality check already ran when the commit
-  # landed on main, so no `needs: quality` dependency here.
+  # Docker publish — only on version tags, after CI passes
   docker:
+    needs: quality
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/), and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [2.15.3] - 2026-05-15
+
+### Changed
+- CI workflow reverted to strict mode: tag pushes run the full `quality` job before `docker`. v2.15.2 had skipped `quality` on tag pushes to avoid duplicate CI runs, but that left a security gap — a tag pointing at an unvalidated commit (e.g. `git tag v9.9.9 some-sha` directly) could trigger a Docker push without going through type check / lint / tests. Each release now runs `quality` twice (once on branch push, once on tag push) but guarantees Docker images are only built from validated commits
+
 ## [2.15.2] - 2026-05-15
 
 ### Fixed
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.15.2
+2.15.3
diff --git a/backend/package.json b/backend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "llm-benchmark-backend",
-  "version": "2.15.2",
+  "version": "2.15.3",
   "description": "LLM API Bench - Backend",
   "main": "dist/index.js",
   "scripts": {
diff --git a/frontend/package.json b/frontend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "frontend",
   "private": true,
-  "version": "2.15.2",
+  "version": "2.15.3",
   "type": "module",
   "scripts": {
     "dev": "vite",
diff --git a/package.json b/package.json
@@ -23,5 +23,5 @@
   "scripts": {
     "prepare": "husky"
   },
-  "version": "2.15.2"
+  "version": "2.15.3"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "llm-benchmark-backend",`
`3`		`- "version": "2.15.2",`
	`3`	`+ "version": "2.15.3",`
`4`	`4`	`"description": "LLM API Bench - Backend",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"scripts": {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "frontend",`
`3`	`3`	`"private": true,`
`4`		`- "version": "2.15.2",`
	`4`	`+ "version": "2.15.3",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"scripts": {`
`7`	`7`	`"dev": "vite",`
Original file line number	Diff line number	Diff line change
`@@ -23,5 +23,5 @@`
`23`	`23`	`"scripts": {`
`24`	`24`	`"prepare": "husky"`
`25`	`25`	`},`
`26`		`- "version": "2.15.2"`
	`26`	`+ "version": "2.15.3"`
`27`	`27`	`}`