From f0715dd299a4bd5cb7e1fd633d7149cad250ef01 Mon Sep 17 00:00:00 2001 From: Vikas Singhal Date: Fri, 6 Mar 2026 14:29:01 +0000 Subject: [PATCH] Restrict SVN deploy to tags on main branch only Add a guard step that verifies the tagged commit is an ancestor of main before deploying to WordPress.org. Prevents accidental releases from develop or feature branches. Also updates actions/checkout from deprecated @master to @v4. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/svn-deploy.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/svn-deploy.yml b/.github/workflows/svn-deploy.yml index 2c009c9b..5985c6fa 100644 --- a/.github/workflows/svn-deploy.yml +++ b/.github/workflows/svn-deploy.yml @@ -1,18 +1,25 @@ -name: Deploy to WordPress.org +name: Deploy to WordPress.org on: push: tags: - "*" - + jobs: tag: name: New tag runs-on: ubuntu-latest steps: - - uses: actions/checkout@master - - name: Build # Remove or modify this step as needed + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Verify tag is on main branch run: | - echo "building" + TAG_COMMIT=$(git rev-list -n 1 ${{ github.ref_name }}) + if ! git merge-base --is-ancestor "$TAG_COMMIT" origin/main; then + echo "::error::Tag ${{ github.ref_name }} does not point to a commit on the main branch. Aborting deploy." + exit 1 + fi + echo "Tag ${{ github.ref_name }} verified on main branch." - name: Install Subversion run: sudo apt-get install subversion - name: WordPress Plugin Deploy