Skip to content

ci: re-sign the release branch on every push#268

Merged
xiaoyijun merged 1 commit into
masterfrom
xiaoyijun-ci-sign-release-branch-on-push
Jun 12, 2026
Merged

ci: re-sign the release branch on every push#268
xiaoyijun merged 1 commit into
masterfrom
xiaoyijun-ci-sign-release-branch-on-push

Conversation

@xiaoyijun

@xiaoyijun xiaoyijun commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

#267 hooked the signing steps into the release-please job, gated on prs_created — i.e. they only ran when release-please itself created or updated the release PR in that same run. Real life immediately found the two gaps:

  1. an unsigned commit left by an earlier run is never revisited (later runs see "content unchanged", skip, and the branch stays unmergeable);
  2. the Update branch (rebase) button rewrites the release commit server-side and drops the signature — no master push follows, so the old hook never fires at all (this is exactly what produced the unsigned 062b0fd on release: 3.0.0-beta #245 today).

This PR moves the signing out of the release-please job into a sign-release-branch job triggered by pushes to release-please--branches--** — it reacts to the branch state, not to who changed it. Whether the unsigned head comes from release-please's REST-API force-push, a manual rebase update, or anything else: push event → if head commit is unsigned (%G? = N), amend with the bot's GPG key and force-push. Already-signed heads are left alone, which also guarantees the job cannot retrigger itself.

Also: the release-please job is now explicitly gated to master pushes, the push uses an explicit refspec (HEAD:ref_name, the previous bare git push --force had no upstream on a detached checkout), and RELEASE.md is updated.

Note: a workflow only fires for branches whose tree contains it, so the first rebase-update of #245 after this merges will pull the new release.yml into the release branch and the job will sign the rebased commit — that rebase is the live acceptance test.

The v2.x release workflow still needs the same treatment (mirror PR planned together with the rest of the signing setup, before release: 2.0.3 #260).

Testing

  • Acceptance: after merging, press Update branch (rebase) on release: 3.0.0-beta #245 — the rebased commit starts unsigned, the push triggers sign-release-branch, and the head flips to Verified within ~1 minute.
  • The amend+sign mechanics are the same ones used to unblock release: 3.0.0-beta #245 by hand three times today (author/message preserved, GitHub reports verified: true).

Checklist

  • .changeset (N/A — release-please)
  • unit tests (N/A — workflow change)
  • integration tests (N/A)
  • necessary KDoc comments (N/A)

🤖 Generated with Claude Code

@xiaoyijun @claude
ci: re-sign the release branch on every push
3b3d83e 
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@xiaoyijun xiaoyijun merged commit 146b939 into master Jun 12, 2026
3 checks passed
@xiaoyijun xiaoyijun deleted the xiaoyijun-ci-sign-release-branch-on-push branch June 12, 2026 07:29
This was referenced Jun 12, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xiaoyijun xiaoyijun

Labels

size/s

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiaoyijun