Require explicit commit for cuda-pathfinder release workflow

cpcloud · cursoragent · cpcloud · commit 4a2ab03a2c6d · 2026-02-17T12:54:36.000-05:00
Pinning releases to a user-provided SHA prevents accidentally releasing additional commits merged to main while a release is being prepared. This also guards against reusing an existing tag that points at a different commit.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/release-cuda-pathfinder.yml b/.github/workflows/release-cuda-pathfinder.yml
@@ -4,8 +4,8 @@
 
 # One-click release workflow for cuda-pathfinder.
 #
-# Provide a version number.  The workflow automatically finds the CI run and
-# creates the git tag, creates a draft GitHub release with the standard
+# Provide a version number and commit SHA.  The workflow automatically finds
+# the CI run and creates the git tag, creates a draft GitHub release with the standard
 # body, builds versioned docs, uploads source archive + wheels to the
 # release, publishes to TestPyPI, verifies the install, publishes to PyPI,
 # verifies again, and finally marks the release as published.
@@ -19,6 +19,10 @@ on:
         description: "Version to release (e.g. 1.3.5)"
         required: true
         type: string
+      commit:
+        description: "Commit SHA to release (must be on default branch)"
+        required: true
+        type: string
 
 concurrency:
   group: release-cuda-pathfinder
@@ -70,6 +74,33 @@ jobs:
             echo "version=${version}"
           } >> "$GITHUB_OUTPUT"
 
+      - name: Validate and resolve commit
+        id: commit
+        env:
+          COMMIT_INPUT: ${{ inputs.commit }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: |
+          # Require a full SHA to avoid ambiguity and accidental releases.
+          if [[ ! "${COMMIT_INPUT}" =~ ^[0-9a-fA-F]{40}$ ]]; then
+            echo "::error::Commit must be a full 40-character SHA, got: ${COMMIT_INPUT}"
+            exit 1
+          fi
+
+          git fetch --no-tags origin "${DEFAULT_BRANCH}"
+          commit=$(git rev-parse --verify "${COMMIT_INPUT}^{commit}" 2>/dev/null || true)
+          if [[ -z "${commit}" ]]; then
+            echo "::error::Commit not found in repository: ${COMMIT_INPUT}"
+            exit 1
+          fi
+
+          if ! git merge-base --is-ancestor "${commit}" "origin/${DEFAULT_BRANCH}"; then
+            echo "::error::Commit ${commit} is not reachable from origin/${DEFAULT_BRANCH}"
+            exit 1
+          fi
+
+          echo "commit=${commit}" >> "$GITHUB_OUTPUT"
+          echo "Using release commit: ${commit}"
+
       - name: Check release notes exist
         env:
           VERSION: ${{ steps.vars.outputs.version }}
@@ -90,11 +121,17 @@ jobs:
       - name: Create tag
         env:
           TAG: ${{ steps.vars.outputs.tag }}
+          TARGET_COMMIT: ${{ steps.commit.outputs.commit }}
         run: |
           if git rev-parse "${TAG}" >/dev/null 2>&1; then
-            echo "Tag ${TAG} already exists"
+            existing_commit=$(git rev-parse "${TAG}^{commit}")
+            if [[ "${existing_commit}" != "${TARGET_COMMIT}" ]]; then
+              echo "::error::Tag ${TAG} already exists at ${existing_commit}, expected ${TARGET_COMMIT}"
+              exit 1
+            fi
+            echo "Tag ${TAG} already exists at requested commit ${TARGET_COMMIT}"
           else
-            git tag "${TAG}"
+            git tag "${TAG}" "${TARGET_COMMIT}"
             git push origin "${TAG}"
           fi
 
