@@ -72,10 +72,40 @@ jobs:
7272 path : ${{ github.workspace }}/**/TestResults/**/*.trx
7373 retention-days : 5
7474
75- build-nuget :
75+ validate-release :
7676 needs : test
7777 if : startsWith(github.ref, 'refs/tags/v')
7878 runs-on : ubuntu-latest
79+ outputs :
80+ is_valid : ${{ steps.check.outputs.is_valid }}
81+ version : ${{ steps.check.outputs.version }}
82+
83+ steps :
84+ - uses : actions/checkout@v4
85+ with :
86+ fetch-depth : 0
87+
88+ - name : Verify tag is on master branch
89+ id : check
90+ run : |
91+ TAG_COMMIT=$(git rev-parse HEAD)
92+ VERSION="${GITHUB_REF#refs/tags/v}"
93+ echo "version=$VERSION" >> $GITHUB_OUTPUT
94+
95+ # Check if the tagged commit is reachable from origin/master
96+ if git merge-base --is-ancestor "$TAG_COMMIT" origin/master; then
97+ echo "Tag v$VERSION is on master branch"
98+ echo "is_valid=true" >> $GITHUB_OUTPUT
99+ else
100+ echo "::error::Tag v$VERSION is NOT on master branch. Releases must be tagged from master."
101+ echo "is_valid=false" >> $GITHUB_OUTPUT
102+ exit 1
103+ fi
104+
105+ build-nuget :
106+ needs : validate-release
107+ if : needs.validate-release.outputs.is_valid == 'true'
108+ runs-on : ubuntu-latest
79109
80110 steps :
81111 - uses : actions/checkout@v4
@@ -155,8 +185,8 @@ jobs:
155185 retention-days : 5
156186
157187 create-release :
158- needs : build-nuget
159- if : startsWith(github.ref, 'refs/tags/v')
188+ needs : [validate-release, build-nuget]
189+ if : needs.validate-release.outputs.is_valid == 'true'
160190 runs-on : ubuntu-latest
161191
162192 steps :
@@ -218,8 +248,8 @@ jobs:
218248 | NumSharp.Bitmap | [](https://www.nuget.org/packages/NumSharp.Bitmap/${{ steps.version.outputs.VERSION }}) |
219249
220250publish-nuget :
221- needs : build-nuget
222- if : startsWith(github.ref, 'refs/tags/v')
251+ needs : [validate-release, build-nuget]
252+ if : needs.validate-release.outputs.is_valid == 'true'
223253 runs-on : ubuntu-latest
224254
225255 steps :
0 commit comments