Remove explicit tag push; rely on gh release create draft atomicity

cx-aniket-shinde · claude · cx-aniket-shinde · commit 0d54c7a5e004 · 2026-05-05T23:32:39.000+05:30
The explicit git push step published the tag before any release or assets
existed, creating a window where the tag was public with nothing attached.
If gh release create then failed, the tag was permanently stranded.

New sequence:
- gh release create --draft --target &lt;sha&gt;: uploads all assets, tag not
  yet public (GitHub defers the ref until the draft is published)
- gh release edit --draft=false: tag and release become public together

Also adds:
- set -euo pipefail + shopt -s failglob so an empty dist/ or any command
  failure exits loudly before touching GitHub
- Cleanup step (if: failure()) that deletes a leftover draft so the next
  run is not blocked; --cleanup-tag is best-effort (|| true) since the
  org immutable-tag policy may prevent tag deletion, but the release
  deletion alone is sufficient to unblock a retry

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -141,28 +141,36 @@ jobs:
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
-      - name: Push tag
-        run: git push origin "${{ inputs.tag }}"
-
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
+          shopt -s failglob
+
+          common=(
+            "${{ inputs.tag }}"
+            dist/*.tar.gz dist/*.zip dist/*checksums*
+            --target "${{ github.sha }}"
+            --title  "Checkmarx One CLI ${{ inputs.tag }}"
+            --generate-notes
+            --draft
+          )
+
           if [ "${{ inputs.dev }}" = "true" ]; then
-            gh release create "${{ inputs.tag }}" dist/*.tar.gz dist/*.zip dist/*checksums* \
-              --title "Checkmarx One CLI ${{ inputs.tag }}" \
-              --generate-notes \
-              --prerelease \
-              --draft
-            gh release edit "${{ inputs.tag }}" --draft=false
+            gh release create "${common[@]}" --prerelease
+            gh release edit   "${{ inputs.tag }}" --draft=false
           else
-            gh release create "${{ inputs.tag }}" dist/*.tar.gz dist/*.zip dist/*checksums* \
-              --title "Checkmarx One CLI ${{ inputs.tag }}" \
-              --generate-notes \
-              --draft
-            gh release edit "${{ inputs.tag }}" --draft=false --latest
+            gh release create "${common[@]}"
+            gh release edit   "${{ inputs.tag }}" --draft=false --latest
           fi
 
+      - name: Cleanup draft release on failure
+        if: failure()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release delete "${{ inputs.tag }}" --cleanup-tag --yes || true
+
   notify:
     name: Update Teams & JIRA About New Release
     if: inputs.dev == false && 1 == 0
