Skip to content

Guard release workflow jobs from upstream failures #2146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juliusmarminge merged 1 commit into from
Apr 17, 2026
+4 −1
Merged

Guard release workflow jobs from upstream failures #2146

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ jobs:
build:
name: Build ${{ matrix.label }}
needs: preflight
if: ${{ !failure() && !cancelled() }}
Copy link
Copy Markdown
Contributor

@macroscopeapp macroscopeapp bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Critical workflows/release.yml:174

The if: ${{ !failure() && !cancelled() }} condition on build, publish_cli, and release allows these jobs to run when preflight is skipped — which happens on scheduled runs with no changes. When preflight is skipped, its outputs are empty, so build runs with empty version and ref values, cascading to broken releases. GitHub Actions' default success() would prevent this, but !failure() && !cancelled() is weaker and permits skipped upstream jobs. Consider adding && needs.preflight.result == 'success' to each job's if condition.

🚀 Reply "fix it for me" or copy this AI Prompt for your agent: 
In file .github/workflows/release.yml around line 174:

The `if: ${{ !failure() && !cancelled() }}` condition on `build`, `publish_cli`, and `release` allows these jobs to run when `preflight` is **skipped** — which happens on scheduled runs with no changes. When `preflight` is skipped, its outputs are empty, so `build` runs with empty `version` and `ref` values, cascading to broken releases. GitHub Actions' default `success()` would prevent this, but `!failure() && !cancelled()` is weaker and permits skipped upstream jobs. Consider adding `&& needs.preflight.result == 'success'` to each job's `if` condition.

Copy link
Copy Markdown
Contributor

@cursor cursor bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guards allow jobs to run when preflight is skipped

High Severity

The if: ${{ !failure() && !cancelled() }} condition on build, publish_cli, and release replaces the default implicit success() check, which required all needed jobs to have succeeded. The failure() status function only returns true when a needed job has failed — it returns false when a needed job was skipped. On scheduled runs with no changes, preflight is skipped (not failed), so !failure() && !cancelled() evaluates to true and these jobs will incorrectly attempt to run with empty needs.preflight.outputs.* values. This would spin up build runners unnecessarily every 3 hours and produce confusing failures. Adding && needs.preflight.result == 'success' to each condition would preserve the intended guard while also filtering out the skipped case.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 510350a. Configure here.

Copy link
Copy Markdown
Contributor

@cursor cursor bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bugbot Autofix determined this is a false positive.

All three jobs (build, publish_cli, release) already include needs.preflight.result == 'success' in their conditions, which correctly prevents execution when preflight is skipped.

You can send follow-ups to the cloud agent here.

runs-on: ${{ matrix.runner }}
timeout-minutes: 30
strategy:
Expand Down Expand Up @@ -353,6 +354,7 @@ jobs:
publish_cli:
name: Publish CLI to npm
needs: [preflight, build]
if: ${{ !failure() && !cancelled() }}
runs-on: ubuntu-24.04 # blacksmith-8vcpu-ubuntu-2404
timeout-minutes: 10
steps:
Expand Down Expand Up @@ -387,6 +389,7 @@ jobs:
release:
name: Publish GitHub Release
needs: [preflight, build, publish_cli]
if: ${{ !failure() && !cancelled() }}
runs-on: ubuntu-24.04 # blacksmith-8vcpu-ubuntu-2404
timeout-minutes: 10
steps:
Expand Down Expand Up @@ -496,7 +499,7 @@ jobs:

finalize:
name: Finalize release
if: needs.preflight.outputs.release_channel == 'stable'
if: ${{ !failure() && !cancelled() && needs.preflight.outputs.release_channel == 'stable' }}
needs: [preflight, release]
runs-on: blacksmith-8vcpu-ubuntu-2404
timeout-minutes: 10
Expand Down
Loading