Enforce release version and tag consistency

data-douser · data-douser · commit 6286915f6cf9 · 2026-02-23T07:08:09.000-07:00
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
@@ -46,6 +46,7 @@ jobs:
         with:
           fetch-depth: 0
           fetch-tags: true
+          ref: ${{ github.event.repository.default_branch }}
 
       - name: Tag - Validate and parse version
         id: version
@@ -63,60 +64,106 @@ jobs:
         id: check-tag
         run: |
           TAG="${{ steps.version.outputs.version }}"
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
           if git rev-parse "refs/tags/${TAG}" >/dev/null 2>&1; then
             TAG_SHA=$(git rev-parse "refs/tags/${TAG}^{commit}" 2>/dev/null || git rev-parse "refs/tags/${TAG}")
-            echo "tag_exists=true" >> $GITHUB_OUTPUT
-            echo "tag_sha=${TAG_SHA}" >> $GITHUB_OUTPUT
             echo "ℹ️ Tag ${TAG} already exists at commit ${TAG_SHA:0:8}"
+
+            # Verify version-bearing files at the tagged commit match the release
+            TAG_SERVER_VERSION=$(git show "${TAG_SHA}:server/package.json" \
+              | grep -m1 '"version"' \
+              | sed 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
+            if [[ "${TAG_SERVER_VERSION}" == "${RELEASE_NAME}" ]]; then
+              echo "tag_exists=true" >> $GITHUB_OUTPUT
+              echo "tag_sha=${TAG_SHA}" >> $GITHUB_OUTPUT
+              echo "✅ Existing tag ${TAG} has correct version (${RELEASE_NAME})"
+            else
+              echo "⚠️ Version mismatch at tag ${TAG}: found ${TAG_SERVER_VERSION}, expected ${RELEASE_NAME}"
+              echo "  Removing stale tag to recreate with correct versions..."
+              git tag -d "${TAG}" 2>/dev/null || true
+              git push origin ":refs/tags/${TAG}" 2>/dev/null || true
+              echo "tag_exists=false" >> $GITHUB_OUTPUT
+              echo "ℹ️ Stale tag ${TAG} removed — will recreate with updated versions"
+            fi
           else
             echo "tag_exists=false" >> $GITHUB_OUTPUT
             echo "ℹ️ Tag ${TAG} does not exist yet"
           fi
 
+      - name: Tag - Validate versions at existing tag
+        id: validate-tag
+        if: steps.check-tag.outputs.tag_exists == 'true'
+        run: |
+          TAG="${{ steps.version.outputs.version }}"
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating version consistency at existing tag ${TAG}..."
+
+          # Check out the tagged commit to inspect version files
+          git checkout "refs/tags/${TAG}"
+
+          if ./server/scripts/update-release-version.sh --check "${RELEASE_NAME}"; then
+            echo "tag_valid=true" >> $GITHUB_OUTPUT
+            echo "✅ Existing tag has correct versions"
+          else
+            echo "tag_valid=false" >> $GITHUB_OUTPUT
+            echo ""
+            echo "⚠️ Existing tag ${TAG} has incorrect versions."
+            echo "Deleting tag and recreating with correct versions..."
+
+            # Return to the original branch
+            git checkout -
+
+            # Delete the remote and local tag so it can be recreated
+            git push --delete origin "${TAG}" || true
+            git tag -d "${TAG}" || true
+
+            echo "🗑️ Deleted tag ${TAG} — will recreate with correct versions"
+          fi
+
       - name: Tag - Setup CodeQL environment
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         uses: ./.github/actions/setup-codeql-environment
         with:
           add-to-path: true
           install-language-runtimes: false
 
       - name: Tag - Setup Node.js
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         uses: actions/setup-node@v6
         with:
           cache: 'npm'
           node-version-file: '.node-version'
 
       - name: Tag - Update release version
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: |
           TAG_VERSION="${{ steps.version.outputs.release_name }}"
           echo "Updating all version-bearing files to '${TAG_VERSION}'..."
           ./server/scripts/update-release-version.sh "${TAG_VERSION}"
 
       - name: Tag - Install dependencies
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: npm install --include=optional
 
       - name: Tag - Install CodeQL pack dependencies
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: server/scripts/install-packs.sh
 
       - name: Tag - Tidy (lint and format)
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: npm run tidy
 
       - name: Tag - Build server
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: npm run build -w server
 
       - name: Tag - Run tests
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: npm run test:server
 
       - name: Tag - Commit version changes and create tag
         id: create-tag
-        if: steps.check-tag.outputs.tag_exists != 'true'
+        if: steps.check-tag.outputs.tag_exists != 'true' || steps.validate-tag.outputs.tag_valid == 'false'
         run: |
           TAG="${{ steps.version.outputs.version }}"
           RELEASE_NAME="${{ steps.version.outputs.release_name }}"
@@ -150,14 +197,14 @@ jobs:
 
       - name: Tag - Output existing tag SHA
         id: existing-tag
-        if: steps.check-tag.outputs.tag_exists == 'true'
+        if: steps.check-tag.outputs.tag_exists == 'true' && steps.validate-tag.outputs.tag_valid != 'false'
         run: |
           echo "tag_sha=${{ steps.check-tag.outputs.tag_sha }}" >> $GITHUB_OUTPUT
 
       - name: Tag - Set final tag SHA output
         id: final-sha
         run: |
-          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
+          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ] && [ "${{ steps.validate-tag.outputs.tag_valid }}" != "false" ]; then
             SHA="${{ steps.check-tag.outputs.tag_sha }}"
           else
             SHA="${{ steps.create-tag.outputs.tag_sha }}"
@@ -169,7 +216,7 @@ jobs:
           TAG="${{ steps.version.outputs.version }}"
           echo "## Release Tag Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ]; then
+          if [ "${{ steps.check-tag.outputs.tag_exists }}" == "true" ] && [ "${{ steps.validate-tag.outputs.tag_valid }}" != "false" ]; then
             echo "ℹ️ Tag \`${TAG}\` already existed at \`${{ steps.check-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
           else
             echo "✅ Created tag \`${TAG}\` at \`${{ steps.create-tag.outputs.tag_sha }}\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,6 +29,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: release-${{ github.event.inputs.version || github.ref_name }}
+  cancel-in-progress: true
+
 jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   # Step 1: Determine the release version
