From 9cb94783ba2009129186f2e53b5c20e3f3affd6b Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Tue, 9 Jun 2026 12:21:12 +0200 Subject: [PATCH 1/5] fix: trigger major-tag update on tag push instead of release published The release: published event is suppressed by GITHUB_TOKEN anti-recursion when a release is published by automation, which left v8 stuck on v8.3.7 after the v8.3.8 release (build-image.yaml@v8 then lacked the timeoutMinutes input, breaking kubernetes.yaml@v8.3.8 consumers). Trigger on the semver tag push instead (created only on publish, never on drafts), derive the version from the pushed ref, and add a workflow_dispatch recovery lever to realign the major tag manually. --- .../ci.update-major-version-tag.yaml | 35 +++++++++++-------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.update-major-version-tag.yaml b/.github/workflows/ci.update-major-version-tag.yaml index 0937716..8afa747 100644 --- a/.github/workflows/ci.update-major-version-tag.yaml +++ b/.github/workflows/ci.update-major-version-tag.yaml @@ -1,8 +1,18 @@ name: Update major tag on: - release: - types: - - published + # Fire when the semver tag itself is created (i.e. on publish). A draft + # release does not create its git tag, so this never runs for drafts, and it + # is immune to the GITHUB_TOKEN anti-recursion that can swallow the + # `release: published` event (see v8.3.8, which left v8 a release behind). + push: + tags: + - "v[0-9]+.[0-9]+.[0-9]+" + # Manual recovery lever to realign the major tag to a specific version. + workflow_dispatch: + inputs: + tag: + description: "Semver tag to align the major tag to (e.g. v8.3.8)" + required: true jobs: update-major-tag: @@ -15,10 +25,11 @@ jobs: - name: Extract major version id: version run: | - # Get the latest tag created by the release job - TAG_NAME="$(git describe --tags --abbrev=0)" - echo "Retrieved tag: $TAG_NAME" - # Extract major version (e.g., v8.2.7 -> v8) + # Use the pushed tag ref (or the dispatch input) directly; no + # `git describe` topology guesswork. + TAG_NAME="${{ github.event.inputs.tag || github.ref_name }}" + echo "Resolved tag: $TAG_NAME" + # Extract major version (e.g. v8.2.7 -> v8) MAJOR_VERSION="$(echo "$TAG_NAME" | sed -E 's/^v([0-9]+)\..*/v\1/')" echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT" echo "full_version=$TAG_NAME" >> "$GITHUB_OUTPUT" @@ -27,10 +38,6 @@ jobs: git config user.name "parcellab-dev-bot" git config user.email "dev.bot@parcellab.com" - # Delete existing major version tag if it exists - git tag -d "${{ steps.version.outputs.major_version }}" || true - git push -d origin "${{ steps.version.outputs.major_version }}" || true - - # Create new major version tag pointing to the same commit as the full version - git tag "${{ steps.version.outputs.major_version }}" - git push origin tag "${{ steps.version.outputs.major_version }}" + # Point the major version tag at the resolved full version commit. + git tag -f "${{ steps.version.outputs.major_version }}" "${{ steps.version.outputs.full_version }}" + git push origin -f "refs/tags/${{ steps.version.outputs.major_version }}" From 823cfb621a551e04d16d89768f4314f72c8011c8 Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Tue, 9 Jun 2026 12:25:49 +0200 Subject: [PATCH 2/5] fix: use glob tag filter and guard against tag deletions Address review feedback: - on.push.tags uses glob syntax, not regex; v[0-9]+.[0-9]+.[0-9]+ required a literal '+' and would never match v8.3.8. Use v[0-9]*.[0-9]*.[0-9]* and enforce the exact vX.Y.Z shape in the script (also skips pre-releases). - push fires on tag deletion too; add a job-level guard so it only runs on tag creation or manual dispatch. --- .../workflows/ci.update-major-version-tag.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.update-major-version-tag.yaml b/.github/workflows/ci.update-major-version-tag.yaml index 8afa747..e726c69 100644 --- a/.github/workflows/ci.update-major-version-tag.yaml +++ b/.github/workflows/ci.update-major-version-tag.yaml @@ -4,9 +4,11 @@ on: # release does not create its git tag, so this never runs for drafts, and it # is immune to the GITHUB_TOKEN anti-recursion that can swallow the # `release: published` event (see v8.3.8, which left v8 a release behind). + # NOTE: tag filters are globs, not regex — `*` matches any chars, `[0-9]` a + # digit. The exact semver shape is enforced in the job below. push: tags: - - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]*.[0-9]*.[0-9]*" # Manual recovery lever to realign the major tag to a specific version. workflow_dispatch: inputs: @@ -17,6 +19,9 @@ on: jobs: update-major-tag: runs-on: ubuntu-latest + # Skip tag deletions (push events with deleted=true): the ref is gone and + # there is nothing to realign to. Only run on tag creation or manual dispatch. + if: ${{ github.event_name == 'workflow_dispatch' || github.event.created }} steps: - name: Checkout uses: actions/checkout@v6 @@ -29,11 +34,19 @@ jobs: # `git describe` topology guesswork. TAG_NAME="${{ github.event.inputs.tag || github.ref_name }}" echo "Resolved tag: $TAG_NAME" + # Enforce a strict semver release tag (no pre-release/build suffix) so + # the major tag never tracks a pre-release. + if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "::notice::'$TAG_NAME' is not a release semver tag (vX.Y.Z); skipping major-tag update." + echo "skip=true" >> "$GITHUB_OUTPUT" + exit 0 + fi # Extract major version (e.g. v8.2.7 -> v8) MAJOR_VERSION="$(echo "$TAG_NAME" | sed -E 's/^v([0-9]+)\..*/v\1/')" echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT" echo "full_version=$TAG_NAME" >> "$GITHUB_OUTPUT" - name: Update major version tag + if: ${{ steps.version.outputs.skip != 'true' }} run: | git config user.name "parcellab-dev-bot" git config user.email "dev.bot@parcellab.com" From 35ef05e5e08f58a83f48e0dc1ce1ff70a14cbf89 Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Tue, 9 Jun 2026 12:27:45 +0200 Subject: [PATCH 3/5] chore: trim comments to incident-critical notes only --- .../workflows/ci.update-major-version-tag.yaml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.update-major-version-tag.yaml b/.github/workflows/ci.update-major-version-tag.yaml index e726c69..030ddb3 100644 --- a/.github/workflows/ci.update-major-version-tag.yaml +++ b/.github/workflows/ci.update-major-version-tag.yaml @@ -1,15 +1,10 @@ name: Update major tag on: - # Fire when the semver tag itself is created (i.e. on publish). A draft - # release does not create its git tag, so this never runs for drafts, and it - # is immune to the GITHUB_TOKEN anti-recursion that can swallow the - # `release: published` event (see v8.3.8, which left v8 a release behind). - # NOTE: tag filters are globs, not regex — `*` matches any chars, `[0-9]` a - # digit. The exact semver shape is enforced in the job below. + # Trigger on tag push, not `release: published` — that event is suppressed by GITHUB_TOKEN anti-recursion and left v8 a release behind (build-image input break). push: tags: + # Glob filter, not regex (`+`/`.` are literal). Exact semver enforced in the job. - "v[0-9]*.[0-9]*.[0-9]*" - # Manual recovery lever to realign the major tag to a specific version. workflow_dispatch: inputs: tag: @@ -19,8 +14,6 @@ on: jobs: update-major-tag: runs-on: ubuntu-latest - # Skip tag deletions (push events with deleted=true): the ref is gone and - # there is nothing to realign to. Only run on tag creation or manual dispatch. if: ${{ github.event_name == 'workflow_dispatch' || github.event.created }} steps: - name: Checkout @@ -30,18 +23,13 @@ jobs: - name: Extract major version id: version run: | - # Use the pushed tag ref (or the dispatch input) directly; no - # `git describe` topology guesswork. TAG_NAME="${{ github.event.inputs.tag || github.ref_name }}" echo "Resolved tag: $TAG_NAME" - # Enforce a strict semver release tag (no pre-release/build suffix) so - # the major tag never tracks a pre-release. if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "::notice::'$TAG_NAME' is not a release semver tag (vX.Y.Z); skipping major-tag update." echo "skip=true" >> "$GITHUB_OUTPUT" exit 0 fi - # Extract major version (e.g. v8.2.7 -> v8) MAJOR_VERSION="$(echo "$TAG_NAME" | sed -E 's/^v([0-9]+)\..*/v\1/')" echo "major_version=$MAJOR_VERSION" >> "$GITHUB_OUTPUT" echo "full_version=$TAG_NAME" >> "$GITHUB_OUTPUT" @@ -51,6 +39,5 @@ jobs: git config user.name "parcellab-dev-bot" git config user.email "dev.bot@parcellab.com" - # Point the major version tag at the resolved full version commit. git tag -f "${{ steps.version.outputs.major_version }}" "${{ steps.version.outputs.full_version }}" git push origin -f "refs/tags/${{ steps.version.outputs.major_version }}" From bc3d5af27a4a79f08f1158fbf9db38eb8ac0ee7c Mon Sep 17 00:00:00 2001 From: Jose Palomares Date: Wed, 10 Jun 2026 10:23:56 +0200 Subject: [PATCH 4/5] fix: harden release-published major-tag update Keep release: published (releases are created manually by a human, so the GITHUB_TOKEN suppression does not apply), but harden the weak parts: - take the version from github.event.release.tag_name instead of fragile git describe topology guessing - enforce strict vX.Y.Z semver and skip pre-releases - add workflow_dispatch recovery lever to realign the major tag by hand - idempotent git tag -f + force-push instead of delete-then-recreate --- .github/workflows/ci.update-major-version-tag.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.update-major-version-tag.yaml b/.github/workflows/ci.update-major-version-tag.yaml index 030ddb3..c4709e1 100644 --- a/.github/workflows/ci.update-major-version-tag.yaml +++ b/.github/workflows/ci.update-major-version-tag.yaml @@ -1,10 +1,9 @@ name: Update major tag on: - # Trigger on tag push, not `release: published` — that event is suppressed by GITHUB_TOKEN anti-recursion and left v8 a release behind (build-image input break). - push: - tags: - # Glob filter, not regex (`+`/`.` are literal). Exact semver enforced in the job. - - "v[0-9]*.[0-9]*.[0-9]*" + # `release: published` is suppressed when the release is published by the default GITHUB_TOKEN — publish releases as a human (or PAT), never via GITHUB_TOKEN, or v8 silently lags behind. + release: + types: + - published workflow_dispatch: inputs: tag: @@ -14,7 +13,7 @@ on: jobs: update-major-tag: runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.created }} + if: ${{ github.event_name == 'workflow_dispatch' || github.event.release.prerelease == false }} steps: - name: Checkout uses: actions/checkout@v6 @@ -23,7 +22,7 @@ jobs: - name: Extract major version id: version run: | - TAG_NAME="${{ github.event.inputs.tag || github.ref_name }}" + TAG_NAME="${{ github.event.inputs.tag || github.event.release.tag_name }}" echo "Resolved tag: $TAG_NAME" if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "::notice::'$TAG_NAME' is not a release semver tag (vX.Y.Z); skipping major-tag update." From 71246bb29785cf9055c209cfa8726f763ff38615 Mon Sep 17 00:00:00 2001 From: Andreas Beuge Date: Wed, 10 Jun 2026 16:23:47 +0200 Subject: [PATCH 5/5] chore: add tag trigger to the pipeline --- .github/workflows/ci.update-major-version-tag.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.update-major-version-tag.yaml b/.github/workflows/ci.update-major-version-tag.yaml index c4709e1..682cd39 100644 --- a/.github/workflows/ci.update-major-version-tag.yaml +++ b/.github/workflows/ci.update-major-version-tag.yaml @@ -4,16 +4,22 @@ on: release: types: - published + push: + tags: + - "v*.*.*" workflow_dispatch: inputs: tag: description: "Semver tag to align the major tag to (e.g. v8.3.8)" required: true +permissions: + contents: write + jobs: update-major-tag: runs-on: ubuntu-latest - if: ${{ github.event_name == 'workflow_dispatch' || github.event.release.prerelease == false }} + if: ${{ github.event_name == 'workflow_dispatch' || github.event_name == 'push' || github.event.release.prerelease == false }} steps: - name: Checkout uses: actions/checkout@v6 @@ -22,7 +28,7 @@ jobs: - name: Extract major version id: version run: | - TAG_NAME="${{ github.event.inputs.tag || github.event.release.tag_name }}" + TAG_NAME="${{ github.event.inputs.tag || github.event.release.tag_name || github.ref_name }}" echo "Resolved tag: $TAG_NAME" if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "::notice::'$TAG_NAME' is not a release semver tag (vX.Y.Z); skipping major-tag update."