Summary
- If a release dispatch fails mid-job and is re-dispatched,
tag will fail on duplicate push, but goreleaser still runs on the inputs.tag checkout (the gate only covers dry-run vs tag-skipped, not tag-push-failure).
proxy-warm failures mark the release as failed even when the release is fully published — a proxy indexing delay makes the UI look broken.
Scope
- Add an explicit
git ls-remote --exit-code --tags origin "refs/tags/$TAG" check at the top of the goreleaser job — fail fast if a live (pushed) tag doesn't correspond to this run.
- Add
continue-on-error: true to proxy-warm OR split it into a separate workflow_dispatch-triggered workflow that a maintainer can re-run.
Acceptance criteria
- Re-dispatch with an existing tag exits cleanly at the pre-flight with a message.
- Proxy indexing delay doesn't flag the release as failed.
Source: devops + security-reviewer.
Summary
tagwill fail on duplicate push, butgoreleaserstill runs on theinputs.tagcheckout (the gate only covers dry-run vs tag-skipped, not tag-push-failure).proxy-warmfailures mark the release as failed even when the release is fully published — a proxy indexing delay makes the UI look broken.Scope
git ls-remote --exit-code --tags origin "refs/tags/$TAG"check at the top of thegoreleaserjob — fail fast if a live (pushed) tag doesn't correspond to this run.continue-on-error: truetoproxy-warmOR split it into a separateworkflow_dispatch-triggered workflow that a maintainer can re-run.Acceptance criteria
Source: devops + security-reviewer.