Skip to content

feat: support version bump from tags to prevent race conditions #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
shelldandy wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: support version bump from tags to prevent race conditions #416

shelldandy wants to merge 1 commit into from

Conversation

@shelldandy
Copy link
Contributor

@shelldandy shelldandy commented Nov 28, 2025

Fixes: #403

  • Add tag detection and branch preparation step
  • Implement automatic rebase when main has moved ahead
  • Split commit and push into separate steps for proper rebase flow
  • Add comprehensive error handling with clear user guidance
  • Maintain full backward compatibility with branch-based workflow
  • Update documentation and examples for tag-based usage

Allows workflows to run from git tags, locking version bump to specific commits and preventing race conditions when PRs are merged during release. When main has moved ahead, automatically rebases version bump onto latest.

@shelldandy
feat: support version bump from tags to prevent race conditions (#403)
5bd05cc 
- Add tag detection and branch preparation step
- Implement automatic rebase when main has moved ahead
- Split commit and push into separate steps for proper rebase flow
- Add comprehensive error handling with clear user guidance
- Maintain full backward compatibility with branch-based workflow
- Update documentation and examples for tag-based usage

Allows workflows to run from git tags, locking version bump to specific
commits and preventing race conditions when PRs are merged during release.
When main has moved ahead, automatically rebases version bump onto latest.
@shelldandy shelldandy self-assigned this Nov 28, 2025
@CLAassistant
Copy link

CLAassistant commented Nov 28, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@CLAassistant
Copy link

CLAassistant commented Nov 28, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 28, 2025
View reviewed changes
actions/plugins/version-bump-changelog/action.yml
Comment on lines +64 to +126
run: |
set -e
# Detect execution context
if ! git symbolic-ref -q HEAD > /dev/null; then
echo "::notice::Detached HEAD detected - running from tag"
IS_TAG_TRIGGER=true
TAG_COMMIT=$(git rev-parse HEAD)
echo "tag-commit=${TAG_COMMIT}" >> $GITHUB_ENV
else
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
echo "::notice::Running from branch: ${CURRENT_BRANCH}"
IS_TAG_TRIGGER=false
fi
echo "is-tag-trigger=${IS_TAG_TRIGGER}" >> $GITHUB_ENV
# Fetch latest remote state
echo "Fetching latest main from remote..."
git fetch origin main:refs/remotes/origin/main
REMOTE_MAIN_SHA=$(git rev-parse origin/main)
echo "remote-main-sha=${REMOTE_MAIN_SHA}" >> $GITHUB_ENV
# Handle tag trigger
if [ "$IS_TAG_TRIGGER" = "true" ]; then
echo "::group::Tag-based workflow preparation"
echo "Tag points to: ${TAG_COMMIT}"
echo "Remote main at: ${REMOTE_MAIN_SHA}"
# Validate tag is in main history
if ! git merge-base --is-ancestor "${TAG_COMMIT}" "${REMOTE_MAIN_SHA}"; then
echo "::error::Tag commit ${TAG_COMMIT} is not in main branch history"
echo "::error::The tag must point to a commit that exists in the main branch"
exit 1
fi
# Create local main branch from tag commit
git checkout -B main "${TAG_COMMIT}"
echo "::notice::Created local main branch at tag commit"
# Check if rebase will be needed
if [ "${TAG_COMMIT}" != "${REMOTE_MAIN_SHA}" ]; then
echo "::warning::Main has moved ahead since tag was created"
echo "::warning::Version bump will be rebased onto latest main before pushing"
echo "needs-rebase=true" >> $GITHUB_ENV
# Calculate commits that will be rebased over
COMMITS_AHEAD=$(git rev-list --count ${TAG_COMMIT}..${REMOTE_MAIN_SHA})
echo "::notice::Main is ${COMMITS_AHEAD} commit(s) ahead"
else
echo "::notice::Tag is at main HEAD - fast-forward push"
echo "needs-rebase=false" >> $GITHUB_ENV
fi
echo "::endgroup::"
else
# Running from branch - validate
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
if [ "${CURRENT_BRANCH}" != "main" ]; then
echo "::error::Running from branch '${CURRENT_BRANCH}' but expected 'main'"
echo "::error::This action must be run from main branch or from a tag"
exit 1
fi
echo "needs-rebase=false" >> $GITHUB_ENV
fi

Check failure

Code scanning / zizmor

dangerous use of environment file Error

dangerous use of environment file
actions/plugins/version-bump-changelog/action.yml
Comment on lines +64 to +126
run: |
set -e
# Detect execution context
if ! git symbolic-ref -q HEAD > /dev/null; then
echo "::notice::Detached HEAD detected - running from tag"
IS_TAG_TRIGGER=true
TAG_COMMIT=$(git rev-parse HEAD)
echo "tag-commit=${TAG_COMMIT}" >> $GITHUB_ENV
else
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
echo "::notice::Running from branch: ${CURRENT_BRANCH}"
IS_TAG_TRIGGER=false
fi
echo "is-tag-trigger=${IS_TAG_TRIGGER}" >> $GITHUB_ENV
# Fetch latest remote state
echo "Fetching latest main from remote..."
git fetch origin main:refs/remotes/origin/main
REMOTE_MAIN_SHA=$(git rev-parse origin/main)
echo "remote-main-sha=${REMOTE_MAIN_SHA}" >> $GITHUB_ENV
# Handle tag trigger
if [ "$IS_TAG_TRIGGER" = "true" ]; then
echo "::group::Tag-based workflow preparation"
echo "Tag points to: ${TAG_COMMIT}"
echo "Remote main at: ${REMOTE_MAIN_SHA}"
# Validate tag is in main history
if ! git merge-base --is-ancestor "${TAG_COMMIT}" "${REMOTE_MAIN_SHA}"; then
echo "::error::Tag commit ${TAG_COMMIT} is not in main branch history"
echo "::error::The tag must point to a commit that exists in the main branch"
exit 1
fi
# Create local main branch from tag commit
git checkout -B main "${TAG_COMMIT}"
echo "::notice::Created local main branch at tag commit"
# Check if rebase will be needed
if [ "${TAG_COMMIT}" != "${REMOTE_MAIN_SHA}" ]; then
echo "::warning::Main has moved ahead since tag was created"
echo "::warning::Version bump will be rebased onto latest main before pushing"
echo "needs-rebase=true" >> $GITHUB_ENV
# Calculate commits that will be rebased over
COMMITS_AHEAD=$(git rev-list --count ${TAG_COMMIT}..${REMOTE_MAIN_SHA})
echo "::notice::Main is ${COMMITS_AHEAD} commit(s) ahead"
else
echo "::notice::Tag is at main HEAD - fast-forward push"
echo "needs-rebase=false" >> $GITHUB_ENV
fi
echo "::endgroup::"
else
# Running from branch - validate
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
if [ "${CURRENT_BRANCH}" != "main" ]; then
echo "::error::Running from branch '${CURRENT_BRANCH}' but expected 'main'"
echo "::error::This action must be run from main branch or from a tag"
exit 1
fi
echo "needs-rebase=false" >> $GITHUB_ENV
fi

Check failure

Code scanning / zizmor

dangerous use of environment file Error

dangerous use of environment file
actions/plugins/version-bump-changelog/action.yml
Comment on lines +64 to +126
run: |
set -e
# Detect execution context
if ! git symbolic-ref -q HEAD > /dev/null; then
echo "::notice::Detached HEAD detected - running from tag"
IS_TAG_TRIGGER=true
TAG_COMMIT=$(git rev-parse HEAD)
echo "tag-commit=${TAG_COMMIT}" >> $GITHUB_ENV
else
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
echo "::notice::Running from branch: ${CURRENT_BRANCH}"
IS_TAG_TRIGGER=false
fi
echo "is-tag-trigger=${IS_TAG_TRIGGER}" >> $GITHUB_ENV
# Fetch latest remote state
echo "Fetching latest main from remote..."
git fetch origin main:refs/remotes/origin/main
REMOTE_MAIN_SHA=$(git rev-parse origin/main)
echo "remote-main-sha=${REMOTE_MAIN_SHA}" >> $GITHUB_ENV
# Handle tag trigger
if [ "$IS_TAG_TRIGGER" = "true" ]; then
echo "::group::Tag-based workflow preparation"
echo "Tag points to: ${TAG_COMMIT}"
echo "Remote main at: ${REMOTE_MAIN_SHA}"
# Validate tag is in main history
if ! git merge-base --is-ancestor "${TAG_COMMIT}" "${REMOTE_MAIN_SHA}"; then
echo "::error::Tag commit ${TAG_COMMIT} is not in main branch history"
echo "::error::The tag must point to a commit that exists in the main branch"
exit 1
fi
# Create local main branch from tag commit
git checkout -B main "${TAG_COMMIT}"
echo "::notice::Created local main branch at tag commit"
# Check if rebase will be needed
if [ "${TAG_COMMIT}" != "${REMOTE_MAIN_SHA}" ]; then
echo "::warning::Main has moved ahead since tag was created"
echo "::warning::Version bump will be rebased onto latest main before pushing"
echo "needs-rebase=true" >> $GITHUB_ENV
# Calculate commits that will be rebased over
COMMITS_AHEAD=$(git rev-list --count ${TAG_COMMIT}..${REMOTE_MAIN_SHA})
echo "::notice::Main is ${COMMITS_AHEAD} commit(s) ahead"
else
echo "::notice::Tag is at main HEAD - fast-forward push"
echo "needs-rebase=false" >> $GITHUB_ENV
fi
echo "::endgroup::"
else
# Running from branch - validate
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
if [ "${CURRENT_BRANCH}" != "main" ]; then
echo "::error::Running from branch '${CURRENT_BRANCH}' but expected 'main'"
echo "::error::This action must be run from main branch or from a tag"
exit 1
fi
echo "needs-rebase=false" >> $GITHUB_ENV
fi

Check failure

Code scanning / zizmor

dangerous use of environment file Error

dangerous use of environment file
@github-actions
Copy link

github-actions bot commented Nov 28, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[github-env]: dangerous use of environment file
   --> ./actions/plugins/version-bump-changelog/action.yml:64:7
    |
 64 | /       run: |
 65 | |         set -e
 66 | |
 67 | |         # Detect execution context
...   |
125 | |           echo "needs-rebase=false" >> $GITHUB_ENV
126 | |         fi
    | |__________^ write to GITHUB_ENV may allow code execution
    |
    = note: audit confidence → Low

error[github-env]: dangerous use of environment file
   --> ./actions/plugins/version-bump-changelog/action.yml:64:7
    |
 64 | /       run: |
 65 | |         set -e
 66 | |
 67 | |         # Detect execution context
...   |
125 | |           echo "needs-rebase=false" >> $GITHUB_ENV
126 | |         fi
    | |__________^ write to GITHUB_ENV may allow code execution
    |
    = note: audit confidence → Low

error[github-env]: dangerous use of environment file
   --> ./actions/plugins/version-bump-changelog/action.yml:64:7
    |
 64 | /       run: |
 65 | |         set -e
 66 | |
 67 | |         # Detect execution context
...   |
125 | |           echo "needs-rebase=false" >> $GITHUB_ENV
126 | |         fi
    | |__________^ write to GITHUB_ENV may allow code execution
    |
    = note: audit confidence → Low

153 findings (13 ignored, 137 suppressed): 0 informational, 0 low, 0 medium, 3 high

@grafana-plugins-platform-bot grafana-plugins-platform-bot bot moved this from 📬 Triage to 🔬 In review in Plugins Platform / Grafana Community Nov 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shelldandy shelldandy

Labels

None yet

Projects

Plugins Platform / Grafana Community
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make Version Bump Changelog work with tags

2 participants

@shelldandy @CLAassistant