Skip to content

Release commits never reach main: branch protection rejects the push and the release script swallows it #26

Description

Every release leaves its release: vX.Y.Z commit orphaned. For v1.2.4:

$ git merge-base --is-ancestor v1.2.4 origin/main; echo $?
1        # tag is not an ancestor of main

The version fields on main are stale as a result: backend/cli says 1.2.3, tooling/sdk/js and tooling/plugin say 1.2.2, while npm latest is 1.2.4.

Cause: tooling/repo/publish.ts commits the version bumps and pushes with

await $`git push origin HEAD --tags --no-verify --force-with-lease`.nothrow()

Branch protection on main requires a PR, so the branch push is rejected. Tags are exempt, so the tag lands. .nothrow() swallows the rejection and the run stays green.

Consequences:

  • the tagged tree that gets published to npm was never reviewed or CI-tested
  • main permanently disagrees with every released tree
  • the npm deployment record uses context.sha (publish.yml), which is the pre-release commit, not the tree that shipped

The pipeline only works at all because tooling/repo/version.ts computes the next version from the npm registry rather than from package.json.

Fix options: have the release job open a release PR instead of pushing to main, or add the workflow's identity as a branch-protection bypass actor. Either way, drop the .nothrow() on the push so a rejected push fails the release loudly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions