Skip to content

ci(release): idempotent tag handling for v6.2.0 recovery#10

Merged
sscarduzio merged 1 commit into
mainfrom
ci/idempotent-release-tag
May 25, 2026
Merged

ci(release): idempotent tag handling for v6.2.0 recovery#10
sscarduzio merged 1 commit into
mainfrom
ci/idempotent-release-tag

Conversation

@sscarduzio
Copy link
Copy Markdown
Collaborator

@sscarduzio sscarduzio commented May 25, 2026

Why

The v6.2.0 Manual Release workflow failed at the "Create and push tag" step:

remote: Permission to beshu-tech/deltaglider.git denied to sscarduzio.
fatal: unable to access 'https://github.com/beshu-tech/deltaglider/': The requested URL returned error: 403

Same shape as the previous attempt on 2026-05-17. The PAT_TOKEN secret in the repo doesn't have push-tag permission on this org repo.

I pushed v6.2.0 from local (where I do have write access). Now I need the workflow to accept that and continue with the lint/typecheck/test/publish jobs against the existing tag, instead of erroring out on the existence check.

What this PR does

  • Collapses "Check if tag already exists" + "Create and push tag" into one idempotent step.
  • Fetches tags from origin first.
  • If the tag exists: log and continue, setting the output to the same value.
  • If it doesn't: create + push as before.
  • On a clean run from a writable PAT_TOKEN: behaviour is identical (fetch is no-op, rev-parse misses, create+push path fires).

Then

Re-dispatch the Manual Release workflow with version=6.2.0, pypi_environment=pypi. The validate-and-tag job will now skip tag creation and pass through; the downstream jobs (lint / typecheck / test / e2e-test / publish) will run against the tag and publish to PyPI.

@sscarduzio @claude
ci(release): make tag-creation idempotent so locally-pushed tags work
a13d418 
When the workflow's PAT_TOKEN lacks push-tag permission to this org
repo (the v6.2.0 release hit this), the maintainer can push the
tag locally and re-dispatch the workflow. Previously the "Check if
tag already exists" step errored out fatally; now we fetch tags,
reuse one if present, and only create+push when the tag's missing.

This also lets us recover from a half-completed earlier run without
having to delete the tag and rebuild from scratch.

No behaviour change on a clean run from a writable PAT_TOKEN: the
fetch is a no-op, the rev-parse misses, and the create+push branch
fires exactly as before.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sscarduzio sscarduzio merged commit fefb253 into main May 25, 2026
5 checks passed
@sscarduzio sscarduzio deleted the ci/idempotent-release-tag branch May 25, 2026 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sscarduzio