fix(ci): create release tag inline to bypass docker-action ownership issue#1913
Merged
Conversation
…issue Agent-Logs-Url: https://github.com/Hack23/blacktrigram/sessions/6c566471-bf31-4056-8305-4492a2139bb7 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned Files
|
Copilot created this pull request from a session on behalf of
pethers
May 9, 2026 16:04
View session
Contributor
📸 Automated UI Screenshots📋 Screenshots Captured (8)
📦 Download Screenshots📥 Download all screenshots from workflow artifacts
🤖 Generated by Playwright automation |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the release GitHub Actions workflow to reliably commit the version bump and create/push the release tag when running inside the cypress/browsers container (avoiding the “dubious ownership” failure mode of a Docker-based auto-commit action).
Changes:
- Replace
stefanzweifel/git-auto-commit-actionwith inlinegitcommands that setsafe.directory, commit the version bump, create an annotated tag, and push commit+tag. - Add an explanatory workflow comment documenting why the Docker action is intentionally avoided in this container job.
| fi | ||
|
|
||
| # actions/checkout leaves the repo in a detached HEAD state for | ||
| # workflow_dispatch on a branch, so push HEAD explicitly to main. |
Comment on lines
+146
to
+149
| # actions/checkout leaves the repo in a detached HEAD state for | ||
| # workflow_dispatch on a branch, so push HEAD explicitly to main. | ||
| git push origin "HEAD:${GITHUB_REF_NAME}" | ||
| git push origin "refs/tags/${VERSION}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The release workflow has been failing for
v0.7.43(and likely the two prior attempts on 2026-05-09) with:…in the
Build Release Packagejob's checkout step (run 25604887285).Root cause
The real failure is in the upstream
Prepare Releasejob. After thepreparejob was moved to run inside thecypress/browserscontainer,stefanzweifel/git-auto-commit-action(a Docker action) fails silently. From the actual job log for step 11:The Docker action launches its own container and does not inherit the host job's
safe.directorygit config.git statuserrors out, and with the defaultskip_dirty_check: falsethe action interprets the failure as "no changes" and exits successfully without committing, tagging, or pushing. The version bump never lands onmainand the tag is never created — so the downstreambuildjob'sactions/checkoutwithref: ${{ github.event.inputs.version }}cannot find it.This started failing once the
preparejob adopted thecypress/browserscontainer (commit8a1b52e9fa); prior runs on the bareubuntu-latestrunner did not hit this because file ownership matched the runner UID.Fix
Replace
stefanzweifel/git-auto-commit-actionwith an inlinegitcommit + tag + push step that runs in the container's own shell, where we can setsafe.directoryfor the actual UID running git.gitis already installed in the container (line 80 of the workflow).The new step:
safe.directoryfor$GITHUB_WORKSPACEgithub-actions[bot]identity used previouslygit diff --cached --quiet)HEADto the dispatching branch (HEAD:${GITHUB_REF_NAME}) — needed becauseactions/checkoutleaves the repo in a detached-HEAD state — and pushes the tagA code comment explains why we bypass the Docker action so this isn't accidentally reverted.
Validation
yaml.safe_load✅parallel_validation(Code Review + CodeQL Security Scan) — no findings ✅Notes / follow-ups
v0.7.43should now succeed via this fix on the next workflow_dispatch.permissions: contents: writeon thepreparejob, so the defaultGITHUB_TOKENfromactions/checkoutcan push the commit and tag.