fix(#2420): automate v0 floating tag move in release workflow by rh-hemartin · Pull Request #2421 · fullsend-ai/fullsend

rh-hemartin · 2026-06-18T13:36:46Z

Summary

Add post-GoReleaser step in release.yml to force-move v0 tag, with ancestry check to prevent race conditions between concurrent releases
Add git.ignore_tags in .goreleaser.yml so v0 doesn't confuse previous-tag detection (root cause of previous=<unknown> / 1,216-entry changelogs)
Remove manual step 8 from cutting-releases skill, update post-flight docs

Closes #2420

Test plan

Verify release.yml syntax is valid (actionlint / CI)
Confirm .goreleaser.yml parses correctly (goreleaser check)
On next release: changelog should show only commits since previous semver tag, not entire history
On next release: v0 tag should move automatically without manual intervention
Pre-release tags (e.g. v0.19.0-rc.1) should skip the v0 move step

🤖 Generated with Claude Code

github-actions · 2026-06-18T13:38:37Z

Site preview

Preview: https://ea8d4507-site.fullsend-ai.workers.dev

Commit: 4ee125abf09ce07393a2ed5115d9db3456f11243

fullsend-ai-review · 2026-06-18T13:40:46Z

🤖 Finished Review · ✅ Success · Started 1:40 PM UTC · Completed 1:52 PM UTC
Commit: 0c869d8 · View workflow run →

codecov · 2026-06-18T13:43:34Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

fullsend-ai-review · 2026-06-18T13:51:54Z

Review

Findings

Medium

[protected-path] .github/workflows/release.yml, skills/cutting-releases/SKILL.md, skills/cutting-releases/post-flight.md — Three of four changed files are under protected paths (.github/, skills/). The PR links to issue release: move v0 floating tag in CI after GoReleaser completes #2420 and explains the rationale for these changes. Human approval is always required for protected-path changes, regardless of context.
[documentation-code-mismatch] skills/cutting-releases/post-flight.md:12 — The diff changes the Sandbox Images workflow trigger description to "triggered by release workflow", but sandbox-images.yml triggers on semver tag pushes matching v[0-9]+.[0-9]+* (lines 5–6). The Sandbox Images workflow is triggered independently by the same semver tag push, not by the release workflow. The old text ("triggered by the v0 tag move") was also inaccurate since v0 doesn't match the semver pattern.
Remediation: Change the parenthetical to "(triggered by the semver tag push)".

Low

[race-condition] .github/workflows/release.yml:48 — The --force-with-lease="v0:${CURRENT}" push is an atomic server-side check, so a concurrent release that moves v0 between the local git rev-parse and the push will cause the push to fail safely rather than silently overwriting. However, on failure there is no retry mechanism, so v0 would remain not updated for that release. Practical risk is very low since releases are cut manually and sequentially.
[error-message-style] .github/workflows/release.yml:44 — The ::warning:: message could include the current v0 SHA (${CURRENT}) and ${GITHUB_SHA} for easier debugging when the ancestry check skips the v0 move.
[documentation-code-mismatch] docs/ADRs/0048-automatic-updates.md:58 — ADR 0048 lists "v0 should be migrated to the new moving tag and deleted" as a future consequence. This PR automates v0 instead of deprecating it, which extends v0's operational lifespan but does not violate the ADR's decision. No immediate action required.
[missing-authorization] .github/workflows/release.yml:36 — The automated v0 tag move removes a human confirmation checkpoint (AskUserQuestion) that was previously in SKILL.md step 8. The release itself still requires a human to push the semver tag, which implicitly authorizes the v0 move. The removed checkpoint was defense-in-depth, not a primary authorization gate.

Labels: PR modifies the release CI workflow and release skill documentation.

Previous run

Review

Findings

Medium

[protected-path] .github/workflows/release.yml, skills/cutting-releases/SKILL.md, skills/cutting-releases/post-flight.md — Three of four changed files are under protected paths (.github/, skills/). The PR links to issue release: move v0 floating tag in CI after GoReleaser completes #2420 and explains the rationale for these changes. Human approval is always required for protected-path changes, regardless of context.
[shell-error-handling] .github/workflows/release.yml:36 — The new shell script in the "Move v0 floating tag" step does not use set -euo pipefail. All other multi-line run: blocks across the repository's workflows consistently use it as the first line. Without set -e, a failed git tag -f would silently continue to git push origin v0 --force with stale state.
Remediation: Add set -euo pipefail as the first line of the run: block.
[documentation-accuracy] skills/cutting-releases/post-flight.md:12 — The diff changes the Sandbox Images trigger description to "triggered by release workflow", but sandbox-images.yml is triggered by a tag push matching v[0-9]+.[0-9]+* (the semver version tag), not by the release workflow (there is no workflow_call or workflow_run trigger linking them). The old text was also wrong — the bare v0 tag never matched that pattern either.
Remediation: Change the parenthetical to "(triggered by the version tag push)".

Low

[race-condition] .github/workflows/release.yml:40 — The ancestry guard checks v0's position with git rev-parse and git merge-base, then force-pushes in a separate step. A concurrent release could move v0 between the check and push. The practical risk is very low since releases are cut manually and sequentially. Consider using git push --force-with-lease=v0:<expected-sha> for atomic safety.
[documentation-code-mismatch] docs/ADRs/0048-automatic-updates.md:58 — ADR 0048 lists "v0 should be migrated to the new moving tag and deleted" as a future consequence. This PR automates v0 instead of deprecating it, which extends v0's operational lifespan but does not violate the ADR's decision. No immediate action required.

Labels: PR modifies CI release workflow and release skill documentation

Previous run

Review

Findings

Medium

[protected-path] .github/workflows/release.yml, skills/cutting-releases/SKILL.md, skills/cutting-releases/post-flight.md — Three of four changed files are under protected paths (.github/, skills/). The PR links to issue release: move v0 floating tag in CI after GoReleaser completes #2420 and explains the rationale for these changes. Human approval is always required for protected-path changes, regardless of context.
[shell-error-handling] .github/workflows/release.yml:36 — The new shell script in the "Move v0 floating tag" step does not use set -euo pipefail. All other multi-line run: blocks across the repository's workflows consistently use it as the first line. Without set -e, a failed git tag -f would silently continue to git push origin v0 --force with stale state.
Remediation: Add set -euo pipefail as the first line of the run: block.
[documentation-accuracy] skills/cutting-releases/post-flight.md:12 — The diff changes the Sandbox Images trigger description to "triggered by release workflow", but sandbox-images.yml is triggered by a tag push matching v[0-9]+.[0-9]+* (the semver version tag), not by the release workflow (there is no workflow_call or workflow_run trigger linking them). The old text was also wrong — the bare v0 tag never matched that pattern either.
Remediation: Change the parenthetical to "(triggered by the version tag push)".

Low

[race-condition] .github/workflows/release.yml:40 — The ancestry guard checks v0's position with git rev-parse and git merge-base, then force-pushes in a separate step. A concurrent release could move v0 between the check and push. The practical risk is very low since releases are cut manually and sequentially. Consider using git push --force-with-lease=v0:<expected-sha> for atomic safety.
[documentation-code-mismatch] docs/ADRs/0048-automatic-updates.md:58 — ADR 0048 lists "v0 should be migrated to the new moving tag and deleted" as a future consequence. This PR automates v0 instead of deprecating it, which extends v0's operational lifespan but does not violate the ADR's decision. No immediate action required.

Labels: PR modifies the release CI workflow and release skill documentation.

Previous run (2)

Review

Findings

Medium

[protected-path] .github/workflows/release.yml, skills/cutting-releases/SKILL.md, skills/cutting-releases/post-flight.md — Three of four changed files are under protected paths (.github/, skills/). The PR links to issue release: move v0 floating tag in CI after GoReleaser completes #2420 and explains the rationale for these changes. Human approval is always required for protected-path changes, regardless of context.

Low

[race-condition] .github/workflows/release.yml:40 — The ancestry guard checks v0's position locally then force-pushes later. A concurrent release could move v0 between the check and push, allowing the slower job to regress v0. The practical risk is very low since releases are cut manually and sequentially. Consider using git push --force-with-lease=v0:<expected-sha> for atomic safety.
[github-actions-workflow-annotation] .github/workflows/release.yml:42 — The ::warning:: message could include commit SHAs (${CURRENT} and ${GITHUB_SHA}) for easier debugging when the ancestry check skips the v0 move.
[architectural-tension] .github/workflows/release.yml:36 — ADR 0048 (accepted 2026-06-09) plans to migrate the v0 floating tag to a new scheme. This PR automates the existing manual process, which is pragmatic while migration is planned but extends v0's operational lifespan. Consider adding a comment noting this is interim automation.
[documentation-internal-consistency] skills/cutting-releases/post-flight.md:12 — Section A references "the Sandbox Images workflow (triggered by the v0 tag move)" but the sandbox-images workflow trigger pattern (v[0-9]+.[0-9]+*) does not match the bare v0 tag. Pre-existing inaccuracy that could be corrected in this PR.
[naming-alignment] .goreleaser.yml:3 — The git.ignore_tags list includes v1 and v2 which are not currently used. The existing comment explains the purpose adequately; this is a minor forward-compatibility measure.

Info

[edge-case] .github/workflows/release.yml:34 — The pre-release filter !contains(github.ref_name, '-') correctly skips RC/alpha/beta tags. Under standard semver, hyphens always denote pre-release identifiers, so this is a non-issue.

ralphbean

A couple things to sort out before we merge. See inline comments.

ralphbean · 2026-06-18T14:09:52Z

Thanks for digging into this.

fullsend-ai-review · 2026-06-19T06:09:38Z

🤖 Finished Review · ✅ Success · Started 6:09 AM UTC · Completed 6:20 AM UTC
Commit: 2eb1a21 · View workflow run →

fullsend-ai-review

See the review comment for full details.

fullsend-ai-review · 2026-06-19T06:20:46Z

          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+      - name: Move v0 floating tag


[medium] shell-error-handling

The new shell script in the Move v0 floating tag step does not use set -euo pipefail. All other multi-line run: blocks across the repository workflows consistently use it. Without set -e, a failed git tag -f would silently continue to git push with stale state.

Suggested fix: Add set -euo pipefail as the first line of the run: block.

fullsend-ai-review · 2026-06-19T06:20:46Z


 ## A. Wait for CI workflows

 Wait for the Release workflow (triggered by the `v*` tag) and the


[medium] documentation-accuracy

The Sandbox Images trigger description says triggered by release workflow but sandbox-images.yml is triggered by a tag push matching v[0-9]+.[0-9]+* (the semver version tag), not by the release workflow.

Suggested fix: Change the parenthetical to (triggered by the version tag push).

fullsend-ai-review · 2026-06-19T06:20:46Z

+        if: "!contains(github.ref_name, '-')"
+        run: |
+          if git rev-parse v0 >/dev/null 2>&1; then
+            CURRENT=$(git rev-parse v0)


[low] race-condition

The ancestry guard checks v0 position then force-pushes in a separate git operation. A concurrent release could move v0 between check and push. Practical risk is negligible since releases are manual and sequential.

Suggested fix: Replace git push origin v0 --force with git push --force-with-lease=v0: origin v0.

GoReleaser picked up the v0 floating tag as previous-tag reference, causing broken changelogs (previous=<unknown>). The manual tag move step was also easy to forget, leaving @v0 refs stale. Add a post-GoReleaser step to force-move v0 with an ancestry guard against race conditions. Add git.ignore_tags to .goreleaser.yml so v0 never confuses changelog generation. Remove the manual step from the cutting-releases skill. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Hector Martinez <hemartin@redhat.com>

fullsend-ai-review · 2026-06-22T07:17:55Z

🤖 Finished Review · ✅ Success · Started 7:17 AM UTC · Completed 7:29 AM UTC
Commit: 4ee125a · View workflow run →

fullsend-ai-review

See the review comment for full details.

fullsend-ai-review · 2026-06-22T07:29:33Z


 ## A. Wait for CI workflows

 Wait for the Release workflow (triggered by the `v*` tag) and the


[medium] documentation-code-mismatch

The diff changes the Sandbox Images workflow trigger description to 'triggered by release workflow', but sandbox-images.yml triggers on semver tag pushes matching v[0-9]+.[0-9]+*, not by the release workflow. The old text was also inaccurate.

Suggested fix: Change the parenthetical to '(triggered by the semver tag push)'.

fullsend-ai-review · 2026-06-22T07:29:33Z

+              exit 0
+            fi
+          fi
+          git tag -f v0 "${GITHUB_SHA}"


[low] race-condition

The --force-with-lease push is an atomic server-side check, so concurrent releases fail safely. However, there is no retry mechanism, so v0 would remain not updated on failure. Practical risk is very low.

fullsend-ai-review · 2026-06-22T07:29:33Z

+          if git rev-parse v0 >/dev/null 2>&1; then
+            CURRENT=$(git rev-parse v0)
+            if ! git merge-base --is-ancestor "${CURRENT}" "${GITHUB_SHA}"; then
+              echo "::warning::v0 already points at a newer commit, skipping"


[low] error-message-style

The ::warning:: message could include the current v0 SHA (${CURRENT}) and ${GITHUB_SHA} for easier debugging when the ancestry check skips the v0 move.

fullsend-ai-review · 2026-06-22T07:29:33Z

          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+      - name: Move v0 floating tag


[low] missing-authorization

The automated v0 tag move removes a human confirmation checkpoint (AskUserQuestion) from SKILL.md step 8. The semver tag push itself serves as the authorization gate.

ralphbean

LGTM.

github-actions Bot deployed to site-preview June 18, 2026 13:38 View deployment

fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jun 18, 2026

ralphbean requested changes Jun 18, 2026

View reviewed changes

Comment thread .goreleaser.yml

Comment thread skills/cutting-releases/post-flight.md

rh-hemartin self-assigned this Jun 19, 2026

rh-hemartin force-pushed the fix/2420-automate-v0-tag branch from 0c869d8 to 2eb1a21 Compare June 19, 2026 06:06

github-actions Bot deployed to site-preview June 19, 2026 06:07 View deployment

fullsend-ai-review Bot reviewed Jun 19, 2026

View reviewed changes

fullsend-ai-review Bot added requires-manual-review Review requires human judgment component/ci CI pipelines and checks component/docs User-facing documentation and removed requires-manual-review Review requires human judgment labels Jun 19, 2026

rh-hemartin requested a review from ralphbean June 22, 2026 06:46

rh-hemartin force-pushed the fix/2420-automate-v0-tag branch from 2eb1a21 to 4ee125a Compare June 22, 2026 07:14

github-actions Bot deployed to site-preview June 22, 2026 07:16 View deployment

fullsend-ai-review Bot reviewed Jun 22, 2026

View reviewed changes

fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jun 22, 2026

ralphbean approved these changes Jun 22, 2026

View reviewed changes


		## A. Wait for CI workflows

		Wait for the Release workflow (triggered by the `v*` tag) and the

Conversation

rh-hemartin commented Jun 18, 2026

Summary

Test plan

Uh oh!

github-actions Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Site preview

Uh oh!

fullsend-ai-review Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented Jun 18, 2026

Codecov Report

Uh oh!

fullsend-ai-review Bot commented Jun 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review

Findings

Medium

Low

Review

Findings

Medium

Low

Review

Findings

Medium

Low

Review

Findings

Medium

Low

Info

Uh oh!

ralphbean left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

ralphbean commented Jun 18, 2026

Uh oh!

fullsend-ai-review Bot commented Jun 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fullsend-ai-review Bot left a comment

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot commented Jun 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

fullsend-ai-review Bot left a comment

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 22, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 22, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 22, 2026

Choose a reason for hiding this comment

Uh oh!

fullsend-ai-review Bot Jun 22, 2026

Choose a reason for hiding this comment

Uh oh!

ralphbean left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

github-actions Bot commented Jun 18, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 18, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 18, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 19, 2026 •

edited

Loading

fullsend-ai-review Bot commented Jun 22, 2026 •

edited

Loading