ci: gate release on master ancestry; use docker for musl builds

rubnogueira · claude · rubnogueira · commit 59e6240a3da3 · 2026-05-19T18:20:03.000+01:00
- Add a `gate-release` job that runs after the matrix and only allows
  the `release` job to proceed if the tag commit is reachable from
  origin/master. Tags pushed from feature branches still run the build
  matrix (for verification) but the release is skipped, not failed.
- Replace the `container: node:24-alpine` directive on musl jobs with
  an explicit `docker run` invocation. GitHub Actions JS actions can't
  run inside Alpine containers on ARM64 runners; running the build
  inside `docker run` on the host runner sidesteps that limitation and
  keeps the x64/arm64 musl paths identical.
- Drop the obsolete `build-release` branch from the push trigger.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/prebuild.yml b/.github/workflows/prebuild.yml
@@ -2,7 +2,7 @@ name: prebuild
 
 on:
   push:
-    branches: [master, main, build-release]
+    branches: [master, main]
     tags: ['v*']
   pull_request:
   workflow_dispatch:
@@ -34,34 +34,30 @@ jobs:
             runner: ubuntu-latest
           - id: linux-x64-musl
             runner: ubuntu-latest
-            container: node:24-alpine
+            musl: true
           - id: linux-arm64-glibc
             runner: ubuntu-24.04-arm
           - id: linux-arm64-musl
             runner: ubuntu-24.04-arm
-            container: node:24-alpine
+            musl: true
           - id: win32-x64
             runner: windows-latest
 
-    container: ${{ matrix.container }}
-
     steps:
-      - name: Install Alpine build deps
-        if: matrix.container == 'node:24-alpine'
-        run: apk add --no-cache bash python3 make g++ git tar
-
       - uses: actions/checkout@v5
 
-      - name: Set up Node (non-container runners)
-        if: matrix.container == ''
+      - name: Set up Node (non-musl jobs)
+        if: ${{ !matrix.musl }}
         uses: actions/setup-node@v5
         with:
           node-version: '24'
 
-      - name: Install npm deps (no scripts so install hook can't fire)
+      - name: Install npm deps (non-musl)
+        if: ${{ !matrix.musl }}
         run: npm ci --ignore-scripts
 
-      - name: Build prebuilds for all target ABIs
+      - name: Build prebuilds for all target ABIs (non-musl)
+        if: ${{ !matrix.musl }}
         shell: bash
         run: |
           set -euo pipefail
@@ -74,6 +70,29 @@ jobs:
           # consumer side.
           npx prebuild $args --strip --tag-libc
 
+      # Musl path runs inside docker rather than using `container:`, because
+      # GitHub Actions JavaScript actions can't run in Alpine containers on
+      # ARM64 runners. Doing the whole build inside `docker run` sidesteps
+      # that limitation and keeps the x64/arm64 musl steps identical.
+      - name: Build musl prebuilds via Alpine docker
+        if: ${{ matrix.musl }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          docker run --rm \
+            -v "$PWD":/work -w /work \
+            -e NODE_TARGETS="$NODE_TARGETS" \
+            node:24-alpine sh -c '
+              set -e
+              apk add --no-cache python3 make g++ git tar
+              npm ci --ignore-scripts
+              args=""
+              for v in $NODE_TARGETS; do
+                args="$args -t $v"
+              done
+              npx prebuild $args --strip --tag-libc
+            '
+
       - name: Verify each tarball contains a .node binary
         shell: bash
         run: |
@@ -98,11 +117,38 @@ jobs:
           if-no-files-found: error
           retention-days: 30
 
-  release:
-    name: attach prebuilds to GitHub Release
+  # Gate the release on tag being reachable from master. If the tag was
+  # pushed from a feature branch (or any non-master commit), this job
+  # outputs on_master=false and the release job is skipped (not failed).
+  gate-release:
+    name: gate release on master ancestry
     needs: prebuild
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    outputs:
+      on_master: ${{ steps.check.outputs.on_master }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - id: check
+        run: |
+          set -euo pipefail
+          git fetch origin master
+          if git merge-base --is-ancestor "$GITHUB_SHA" origin/master; then
+            echo "Tag $GITHUB_REF_NAME (commit $GITHUB_SHA) is on master — release will publish"
+            echo "on_master=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Tag $GITHUB_REF_NAME (commit $GITHUB_SHA) is NOT on master — release will be skipped"
+            echo "Merge your PR to master first, then re-tag the merge commit."
+            echo "on_master=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  release:
+    name: attach prebuilds to GitHub Release
+    needs: [prebuild, gate-release]
+    if: needs.gate-release.outputs.on_master == 'true'
+    runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
