Every release leaves its release: vX.Y.Z commit orphaned. For v1.2.4:
$ git merge-base --is-ancestor v1.2.4 origin/main; echo $?
1 # tag is not an ancestor of main
The version fields on main are stale as a result: backend/cli says 1.2.3, tooling/sdk/js and tooling/plugin say 1.2.2, while npm latest is 1.2.4.
Cause: tooling/repo/publish.ts commits the version bumps and pushes with
await $`git push origin HEAD --tags --no-verify --force-with-lease`.nothrow()
Branch protection on main requires a PR, so the branch push is rejected. Tags are exempt, so the tag lands. .nothrow() swallows the rejection and the run stays green.
Consequences:
- the tagged tree that gets published to npm was never reviewed or CI-tested
- main permanently disagrees with every released tree
- the npm deployment record uses
context.sha (publish.yml), which is the pre-release commit, not the tree that shipped
The pipeline only works at all because tooling/repo/version.ts computes the next version from the npm registry rather than from package.json.
Fix options: have the release job open a release PR instead of pushing to main, or add the workflow's identity as a branch-protection bypass actor. Either way, drop the .nothrow() on the push so a rejected push fails the release loudly.
Every release leaves its
release: vX.Y.Zcommit orphaned. For v1.2.4:The version fields on main are stale as a result: backend/cli says 1.2.3, tooling/sdk/js and tooling/plugin say 1.2.2, while npm latest is 1.2.4.
Cause:
tooling/repo/publish.tscommits the version bumps and pushes withBranch protection on main requires a PR, so the branch push is rejected. Tags are exempt, so the tag lands.
.nothrow()swallows the rejection and the run stays green.Consequences:
context.sha(publish.yml), which is the pre-release commit, not the tree that shippedThe pipeline only works at all because
tooling/repo/version.tscomputes the next version from the npm registry rather than from package.json.Fix options: have the release job open a release PR instead of pushing to main, or add the workflow's identity as a branch-protection bypass actor. Either way, drop the
.nothrow()on the push so a rejected push fails the release loudly.