fix(ci): checkout branch ref to avoid detached HEAD in release

[aryeko]

Summary

• The Release workflow has been failing because python-semantic-release v10 refuses to run in detached HEAD state, logging Detached HEAD state cannot match any release groups; no release will be made
• Root cause: the checkout step used ref: head_sha (a SHA always produces detached HEAD) instead of the branch name
• Fix: switch to ref: head_branch so Git checks out on the named branch, then verify HEAD still equals the CI-tested SHA to preserve the security guarantee

Changes

• .github/workflows/release.yml: checkout by branch name + add SHA verification step

Test plan

• Merge a feat: or fix: commit to main and confirm the Release workflow runs to completion (PSR bumps version, creates tag, triggers publish jobs)
• Confirm the verification step fails fast if HEAD doesn't match the expected SHA (can be tested by temporarily pointing head_branch to a branch ahead of head_sha)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated release workflow verification process to improve reliability
  • Modified commit message validation execution

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the release workflow to use branch references instead of commit SHA during checkout, adds SHA verification logic to ensure correctness, and changes the commitlint invocation in the commit message hook to explicitly use the lint subcommand.

Changes

Cohort / File(s)	Summary
Release Workflow Verification .github/workflows/release.yml	Changed checkout to reference branch instead of SHA; added verification step comparing current HEAD with expected SHA with diagnostic error output.
Commit Hook CLI Update scripts/commit-msg	Updated commitlint invocation to explicitly use the lint subcommand instead of relying on default CLI behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A branch we now follow with care,
Not SHA's, but the path through the air,
Verification stands guard at the gate,
While commitlint speaks with a new, clearer state,
Our pipelines now safer, our hooks more aware! 🌿

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a clear summary of the issue and fix, lists the changes, and includes a test plan with verification steps. However, it does not follow the repository's template structure with proper section headings and checkboxes.	Restructure the description to match the template format: use the provided section headings (Summary, Changes, Verification, Breaking changes, Notes) and complete the verification checklist with appropriate checkboxes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing the CI release workflow by using branch reference to avoid detached HEAD state.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch worktree-fix-release-detached-head

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/commit-msg`:
- Line 5: In the commit hook script there is an incorrect commitlint invocation:
replace the current invocation that includes the extra "lint" subcommand (the
line that runs poetry run commitlint lint --file "$1") with the correct CLI
usage that omits "lint" so the script runs commitlint with the --file argument
(i.e., use poetry run commitlint --file "$1"). This change fixes the hook so
commitlint validates the file contents instead of treating "lint" as the commit
message.

fixed