Skip to content

ci: release workflow has same trapfall as uteke #325 — sync-main blind force-push + unprotected main #278

Description

@ajianaz

Problem

The release workflow (.github/workflows/release.yml) has the same pattern that caused uteke issue #325:

1. sync-main uses blind git push --force

git push origin HEAD:main --force

No ancestor check. If main diverged (e.g., hotfix PR merged directly to main), this silently rewrites main history.

2. publish-crates has needs: []

Crates.io publish runs independently of sync-main. If sync-main fails, crates are still published — creating a version mismatch between crates.io and main branch.

3. main branch has NO protection

$ gh api repos/codecoradev/cora-cli/branches/main/protection
→ 404 Branch not protected

Anyone with write access can push directly to main. This is the root cause pattern — direct pushes to main cause diverge from develop.

4. actions/checkout@v4 is outdated

uteke already updated to @v6.

Evidence

Currently main = develop (0 diff), so no active bug right now. But the same pattern caused uteke's main to get stuck at v0.0.12 while release proceeded with v0.1.0 binaries.

Fix

Copy the hardened pattern from uteke (PR #326):

Release workflow

  • sync-main: check merge-base --is-ancestor before push. Abort if main diverged.
  • publish-crates: needs: [sync-main] (blocking dependency)
  • build-release: needs: [sync-main] (already correct)
  • Update actions/checkout@v4@v6

Branch protection

  • main: required_pull_request_reviews: 0 (PR required, no approvals)
  • main: required_linear_history: true (no merge commits)
  • main: allow_force_pushes: true (for release workflow only)
  • main: allow_deletions: false

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions