Skip to content

fix: address PR review feedback for version bumping#3

Merged
github-actions[bot] merged 1 commit intomainfrom
fix/review-feedback
Feb 19, 2026
Merged

fix: address PR review feedback for version bumping#3
github-actions[bot] merged 1 commit intomainfrom
fix/review-feedback

Conversation

@chiply
Copy link
Copy Markdown
Owner

@chiply chiply commented Feb 19, 2026

Summary

  • Require same-repo origin on auto-merge to prevent forked-PR abuse
  • Tighten version regex to require at least one digit per semver component
  • Scan full commit history (root..HEAD) when no tag exists instead of only HEAD
  • Recognize BREAKING-CHANGE token alongside BREAKING CHANGE
  • Guard against empty commits in release workflow (skip if no files changed)
  • Add git pull --rebase before push to handle concurrent commits to main

Test plan

  • CI passes
  • Auto-merge triggers for this PR (same-repo check passes)
  • After merge, release workflow handles version bump correctly

🤖 Generated with Claude Code

@claude
fix: address PR review feedback for version bumping workflows
9b4a1f7 
- Require same-repo origin for auto-merge to prevent fork abuse
- Tighten version regex to require at least one digit per component
- Scan full commit history when no tag exists (root..HEAD)
- Recognize BREAKING-CHANGE token alongside BREAKING CHANGE
- Guard against empty commits in release workflow
- Rebase before push to handle concurrent pushes to main

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 19, 2026 20:27
@github-actions github-actions bot enabled auto-merge (squash) February 19, 2026 20:27
@github-actions github-actions bot merged commit 230cadb into main Feb 19, 2026
8 checks passed
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses several security and robustness improvements to the automated version bumping and release workflows. The changes include same-repo validation for auto-merge, tighter version parsing, full commit history scanning, expanded breaking change detection, empty commit guards, and concurrent commit handling.

Changes:

  • Enhanced security for auto-merge by requiring PRs to originate from the same repository
  • Improved version regex to require at least one digit per semantic version component
  • Extended commit scanning to include full repository history when no tags exist
  • Expanded breaking change detection to recognize both BREAKING CHANGE and BREAKING-CHANGE formats
  • Added safeguards against empty commits and concurrent modifications in release workflow

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/auto-merge.yml Added same-repository check to prevent auto-merge of forked PRs
scripts/bump-version.sh Tightened version regex, improved commit range scanning, and expanded BREAKING CHANGE detection
.github/workflows/release.yml Added empty commit guard and git rebase to handle concurrent commits

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
Comment on lines 43 to +44
git tag "$TAG"
git pull --rebase origin main
Copy link

Copilot AI Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tag is created before the rebase, which means it will point to the pre-rebase commit hash. After rebasing, the commit hash changes, so the tag will point to a commit that is no longer in the main branch's history. The tag should be created after the rebase, not before. Move line 43 to after line 44.

Suggested change
git tag "$TAG"
git pull --rebase origin main
git pull --rebase origin main
git tag "$TAG"

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Feb 19, 2026
Closed
@chiply chiply mentioned this pull request Feb 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chiply