Skip to content

fix(release-tag): drop floating major tag to satisfy tag-protection ruleset#182

Merged
williaby merged 2 commits into
mainfrom
claude/fix-release-tag-no-floating-0
May 27, 2026
Merged

fix(release-tag): drop floating major tag to satisfy tag-protection ruleset#182
williaby merged 2 commits into
mainfrom
claude/fix-release-tag-no-floating-0

Conversation

@williaby
Copy link
Copy Markdown
Collaborator

@williaby williaby commented May 27, 2026

Summary

  • Removes the floating vX major-tag force-push from .github/workflows/release-tag.yml.
  • The workflow now creates only an immutable annotated vX.Y.Z tag on each push to main.
  • Header comment updated to cite the org-level ruleset and reflect the new immutable-only semantics.

Why this failed on main

The org-level ruleset ByronWilliamsCPA-tag-protection-semver applies to refs/tags/v* and enforces:

  • deletion (no tag deletion)
  • non_fast_forward (no force-pushes)
  • update (no tag updates)
  • tag_name_pattern (semver shape)

Only the RepositoryRole admin is in the bypass list. The github-actions[bot] identity used by this workflow is not, so the previous git push origin v1 --force was rejected with GH013: Repository rule violations found for refs/tags/v1.

Failing run: https://github.com/ByronWilliamsCPA/.github/actions/runs/26477814926

Why removing the floating tag is the right fix

  • Already proven by ByronWilliamsCPA/.claude: that repo only ever publishes immutable point tags (v0.13.0, v0.12.2, ...) and is unaffected by the ruleset.
  • No org-level bypass expansion needed: alternative was adding github-actions to the ruleset's bypass list, but that would open the bypass for every repo in the org, weakening the protection for one workflow's idiosyncratic design.
  • No consumer impact: CI-005 mandates that consumers pin to full 40-char SHAs. The floating v1 ref was, per the original header comment, "human-readable documentation only." Existing immutable v1.x.y tags remain available for callers that prefer named refs.

What changes

Removed
FLOATING="v${MAJOR}" unused after the floating-push removal
echo "Floating tag: $FLOATING" unused log line
git tag -f "$FLOATING" -m "..." force-moved the floating ref locally
git push origin "$FLOATING" --force the line GitHub was rejecting
Kept (unchanged)
Conventional-commit bump logic major/minor/patch detection
git tag -a "$NEW_TAG" + git push origin "$NEW_TAG" the immutable point tag
permissions: contents: write job-level required for tag push
Hardened runner, SHA-pinned actions unchanged

Test plan

  • yamllint passes
  • pre-commit (full hook chain) passes
  • CI on this PR: workflow file remains syntactically valid (yamllint job)
  • After merge: next push to main cuts a new vX.Y.Z tag and the Release Tag required check goes green

Stale v1 tag

The existing floating v1 tag (currently at SHA 686b656) is left in place; the ruleset prevents deletion anyway, and consumers that resolved it before this change are unaffected. It will simply not advance further. If desired, an org admin can delete it manually (admin bypass) in a follow-up.

Generated with Claude Code

@williaby @claude
fix(release-tag): drop floating major tag to satisfy tag-protection r…
af277cd 
…uleset

The org-level `ByronWilliamsCPA-tag-protection-semver` ruleset (applied
to `refs/tags/v*`) enforces four rules: `deletion`, `non_fast_forward`,
`update`, and `tag_name_pattern`. Its bypass list only contains the
`RepositoryRole` admin (id=5), so the `github-actions[bot]` identity
used by this workflow cannot bypass.

The previous design created both an immutable point tag (vX.Y.Z) and
a floating major tag (vX) that was force-moved on every release. The
floating-tag force-push has been rejected on every push to main since
the ruleset was tightened on 2026-05-16, failing the `Release Tag`
required check.

This change aligns the workflow with the strategy already proven in
ByronWilliamsCPA/.claude, which only ever creates immutable point
tags and is unaffected by the ruleset. The change:

- Removes the `FLOATING` variable, the `git tag -f`, and the
  `git push origin "$FLOATING" --force` lines.
- Updates the header comment to reflect immutable-tag semantics and
  cite the ruleset.

Consumers already pin to full 40-char SHAs per CI-005, so removing
the floating `v1` ref has no practical downstream impact.

Closes the Release Tag failure on https://github.com/ByronWilliamsCPA/.github/actions/runs/26477814926

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 27, 2026 01:34
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 27, 2026
edited
Loading

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a184614f-9551-4a7f-8429-022da4df8a43

📥 Commits

Reviewing files that changed from the base of the PR and between e72886a and 4f19bc8.

📒 Files selected for processing (1)
  • .github/workflows/release-tag.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/fix-release-tag-no-floating-0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release tagging workflow to stop publishing or force-updating a floating major tag, aligning tag creation with the org-level tag protection ruleset.

Changes:

  • Updates workflow comments to document immutable point-tag-only behavior.
  • Removes floating major tag creation, logging, and force-push.
  • Keeps the annotated vX.Y.Z tag creation and push path.

Comment thread .github/workflows/release-tag.yml
@@ -63,17 +65,12 @@ jobs:
fi

NEW_TAG="v${MAJOR}.${MINOR}.${PATCH}"
@williaby williaby enabled auto-merge (squash) May 27, 2026 04:12
@williaby williaby merged commit e75a86b into main May 27, 2026
22 checks passed
@williaby williaby deleted the claude/fix-release-tag-no-floating-0 branch May 27, 2026 04:13
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby