From 9e6aafd4716100ef32372c591e20e40e55a66552 Mon Sep 17 00:00:00 2001 From: erickgonzalez Date: Mon, 11 May 2026 11:11:39 -0600 Subject: [PATCH] fix(ci): gate Docker :latest and "Next Release" relabel to main only The -6 release workflow is dispatchable from any branch, but it unconditionally pushed the :latest Docker tag and relabeled GitHub issues tagged "Next Release" with the dispatched release_version. When a release was run from a non-main branch (e.g. 26.04.11), this overwrote :latest with a non-main image and stamped main-only fixes with a release version that did not actually contain them. Add a `github.ref_name == 'main'` guard to both the deployment phase's `latest` input and the release phase's `update_github_labels` input so these side effects fire only when releasing from main. Refs #35651 Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/cicd_6-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd_6-release.yml b/.github/workflows/cicd_6-release.yml index 7a708acdba3e..ae32e9b7aa8e 100644 --- a/.github/workflows/cicd_6-release.yml +++ b/.github/workflows/cicd_6-release.yml @@ -121,7 +121,7 @@ jobs: tag-identifier: ${{ needs.release-prepare.outputs.release_version }} omit-environment-prefix: true artifact-run-id: ${{ github.run_id }} - latest: ${{ needs.release-prepare.outputs.is_latest == 'true' }} + latest: ${{ needs.release-prepare.outputs.is_latest == 'true' && github.ref_name == 'main' }} deploy-cli: true deploy-dev-image: true publish-npm-cli: false @@ -150,7 +150,7 @@ jobs: deploy_artifact: ${{ github.event.inputs.deploy_artifact == 'true' }} upload_javadocs: ${{ github.event.inputs.upload_javadocs == 'true' }} update_plugins: ${{ github.event.inputs.update_plugins == 'true' }} - update_github_labels: ${{ github.event.inputs.update_github_labels == 'true' }} + update_github_labels: ${{ github.event.inputs.update_github_labels == 'true' && github.ref_name == 'main' }} java-version: ${{ github.event.inputs.java-version }} artifact-suffix: ${{ github.event.inputs.artifact-suffix }} secrets: