ci: drop v prefix on release tags (org ruleset blocks v*)#38
Merged
Conversation
PR #37's release attempt got all the way to `gh release create` but failed with: Cannot create ref due to creations being restricted. Published releases must have a valid tag. Root cause: the TheJumpCloud org has a ruleset "Version Tag Protections" (target=tag) that forbids creating refs matching refs/tags/v* (and refs/tags/proto/v*). GITHUB_TOKEN cannot bypass it. The workflow was minting tags like v1.17.0 while the existing release tags (1.15.0, 1.16.0) use the no-prefix convention. Strip the v so the next release lands as 1.17.0 instead of v1.17.0. Matches the org rule and stays consistent with the historical tag scheme. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrennichjc
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR #37 got the workflow all the way to
gh release create— tests passed, all 5 binaries built — butgh release createfailed with:The TheJumpCloud org has a ruleset "Version Tag Protections" (target=tag) with rules forbidding
creation/update/deletion/non_fast_forwardon refs matchingrefs/tags/v*(andrefs/tags/proto/v*).GITHUB_TOKENcan't bypass it (current_user_can_bypass: "never"for actions).Our workflow was minting tags like
v1.17.0— directly inside the forbidden pattern. Meanwhile the existing release tags (1.15.0,1.16.0) use the no-prefix convention, which the rule explicitly allows.Fix
One-line change in
.github/workflows/release.yml:Plus a comment so the next person to touch this knows why there's no
v.What ships after this merges
Labeled
minor, so the (now-working) release workflow produces1.17.0(matching the1.16.0/1.15.0pattern) with auto-generated notes covering every PR since1.16.0.Follow-up housekeeping
There's a stray
minortag in the repo from an earlier botched workflow run (points ate3ad6090). Doesn't affect the version compute (semver.valid("minor") === false), but worth deleting. Out of scope for this PR.Test plan
gh api repos/.../rulesets/1555769) blocksv*tag creation1.15.0,1.16.0) don't carry thevprefix1.17.0🤖 Generated with Claude Code
Note
Low Risk
Single workflow change to tag naming; no application runtime or security logic affected.
Overview
Fixes failed
gh release createruns by emitting release tags without avprefix (e.g.1.17.0instead ofv1.17.0), matching existing tags and avoiding the org Version Tag Protections ruleset that blocksrefs/tags/v*.In Compute-Version,
tagis nowString(next)rather than`v${next}`, with a short comment explaining the ruleset constraint. The log line for the latest tag no longer adds avprefix.Reviewed by Cursor Bugbot for commit 112be90. Bugbot is set up for automated code reviews on this repo. Configure here.