fix(ci): eliminate git tag race condition with dedicated set-git-tag job

.github/workflows/build-test-publish.yml

@@ -273,9 +273,19 @@ jobs:
       trivy_exit_code: ${{ inputs.trivy_exit_code }}
       docker_meta: ${{ inputs.docker_meta }}
 
+  set_git_tag:
+    if: ${{ github.event_name == 'push' }}
+    needs: [test_and_build, security_scan_artifacts]
+    uses: ./.github/workflows/set-git-tag.yml
+    with:
+      runner: ${{ inputs.runner }}
+      tool: ${{ inputs.tool }}
+      root_dir: ${{ inputs.root_dir }}
+      artifact_path: ${{ inputs.artifact_path }}
+
   publish_docker_image:
     if: ${{ github.event_name == 'push' && inputs.docker_meta != '' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/publish-docker-image.yml
     with:
       root_dir: ${{ inputs.root_dir }}
@@ -290,7 +300,7 @@ jobs:
 
   publish_npm_libraries:
     if: ${{ github.event_name == 'push' && inputs.library_path != '' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/publish-npm-libraries.yml
     with:
       root_dir: ${{ inputs.root_dir }}
@@ -303,7 +313,7 @@ jobs:
 
   publish_python_libraries:
     if: ${{ github.event_name == 'push' && inputs.tool == 'uv' && inputs.publish_python_libraries == 'true' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/publish-python-libraries.yml
     with:
       root_dir: ${{ inputs.root_dir }}
@@ -313,7 +323,7 @@ jobs:
 
   publish_firefox_extension:
     if: ${{ github.event_name == 'push' && inputs.addon_guid != '' && inputs.xpi_path != '' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/publish-firefox-extension.yml
     with:
       runner: ${{ inputs.runner }}
@@ -325,7 +335,7 @@ jobs:
 
   release_android_apk:
     if: ${{ github.event_name == 'push' && inputs.app_root != '' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/release-android-apk.yml
     with:
       runner: ${{ inputs.runner }}
@@ -337,7 +347,7 @@ jobs:
 
   release_github:
     if: ${{ github.event_name == 'push' &&  inputs.artifact_path != '' && inputs.publish_github_release == 'true' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/release-github.yml
     with:
       runner: ${{ inputs.runner }}
@@ -348,7 +358,7 @@ jobs:
 
   publish_crates_io:
     if: ${{ github.event_name == 'push' && inputs.tool == 'cargo' }}
-    needs: [test_and_build, security_scan_artifacts]
+    needs: [test_and_build, security_scan_artifacts, set_git_tag]
     uses: ./.github/workflows/publish-crates-io.yml
     with:
       runner: ${{ inputs.runner }}
@@ -378,6 +388,7 @@ jobs:
         test_and_build,
         security_scan_source,
         security_scan_artifacts,
+        set_git_tag,
         publish_docker_image,
         publish_npm_libraries,
         publish_python_libraries,

.github/workflows/publish-docker-image.yml

@@ -114,19 +114,6 @@ jobs:
             echo "::notice::[Docker] No version found, publishing latest only"
           fi
 
-      - name: set git tag if not yet set
-        if: ${{ env.DOCKER_VERSION_TAG != '' && (inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true') && matrix.docker.name == fromJson(inputs.docker_meta)[0].name }}
-        run: |
-          if git ls-remote --tags origin "${{ env.DOCKER_VERSION_TAG }}" | grep -q "${{ env.DOCKER_VERSION_TAG }}"; then
-            echo "::warning::[Docker] Tag ${{ env.DOCKER_VERSION_TAG }} already exists, skipping tag creation"
-          else
-            git tag "${{ env.DOCKER_VERSION_TAG }}"
-            git push origin "${{ env.DOCKER_VERSION_TAG }}"
-            echo "::notice::[Docker] Created and pushed tag ${{ env.DOCKER_VERSION_TAG }}"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: run docker pre script
         if: ${{ inputs.docker_pre != '' && (inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true') }}
         run: ${{ inputs.docker_pre }}

.github/workflows/publish-npm-libraries.yml

@@ -81,31 +81,6 @@ jobs:
             ${{ inputs.root_dir }}/yarn.lock
             ${{ inputs.root_dir }}/pnpm-lock.yaml
 
-      - name: extract version from package.json
-        if: ${{ steps.check_artifact_exists.outputs.exists == 'true' }}
-        id: extract_version
-        run: |
-          VERSION=$(jq -r .version package.json)
-          if [[ -z "${VERSION}" || "${VERSION}" == "null" ]]; then
-            echo "::warning::[NPM] Could not extract version from package.json, skipping git tag"
-          else
-            echo "release_tag=v${VERSION}" >> $GITHUB_OUTPUT
-            echo "::notice::[NPM] Extracted version: v${VERSION}"
-          fi
-
-      - name: set git tag if not yet set
-        if: ${{ steps.check_artifact_exists.outputs.exists == 'true' && steps.extract_version.outputs.release_tag != '' }}
-        run: |
-          if git ls-remote --tags origin "${{ steps.extract_version.outputs.release_tag }}" | grep -q "${{ steps.extract_version.outputs.release_tag }}"; then
-            echo "::warning::[NPM] Tag ${{ steps.extract_version.outputs.release_tag }} already exists, skipping tag creation"
-          else
-            git tag "${{ steps.extract_version.outputs.release_tag }}"
-            git push origin "${{ steps.extract_version.outputs.release_tag }}"
-            echo "::notice::[NPM] Created and pushed tag ${{ steps.extract_version.outputs.release_tag }}"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: install latest npm for OIDC support
         run: npm install -g npm@latest
 

.github/workflows/publish-python-libraries.yml

@@ -55,32 +55,3 @@ jobs:
           echo "FAILURE_REASON=missing_artifact" >> $GITHUB_ENV
           exit 1
 
-      - name: extract version from pyproject.toml
-        if: ${{ steps.check_artifact_exists.outputs.exists == 'true' }}
-        id: extract_version
-        run: |
-          if [[ -f pyproject.toml ]]; then
-            VERSION=$(grep -m1 '^version' pyproject.toml | cut -d'"' -f2)
-          else
-            echo "::error::[PyPI] Cannot find pyproject.toml"
-            exit 1
-          fi
-          if [[ -z "${VERSION}" || "${VERSION}" == "null" ]]; then
-            echo "::error::[PyPI] Could not extract version from pyproject.toml (got: '${VERSION}')"
-            exit 1
-          fi
-          echo "release_tag=v${VERSION}" >> $GITHUB_OUTPUT
-          echo "::notice::[PyPI] Extracted version: v${VERSION}"
-
-      - name: set git tag if not yet set
-        if: ${{ steps.check_artifact_exists.outputs.exists == 'true' }}
-        run: |
-          if git ls-remote --tags origin "${{ steps.extract_version.outputs.release_tag }}" | grep -q "${{ steps.extract_version.outputs.release_tag }}"; then
-            echo "::warning::[PyPI] Tag ${{ steps.extract_version.outputs.release_tag }} already exists, skipping tag creation"
-          else
-            git tag "${{ steps.extract_version.outputs.release_tag }}"
-            git push origin "${{ steps.extract_version.outputs.release_tag }}"
-            echo "::notice::[PyPI] Created and pushed tag ${{ steps.extract_version.outputs.release_tag }}"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-github.yml

@@ -88,19 +88,6 @@ jobs:
           echo "release_tag=v${VERSION}" >> $GITHUB_OUTPUT
           echo "::notice::[Release] Extracted version: v${VERSION}"
 
-      - name: set git tag if not yet set
-        if: ${{ steps.check_artifact_exists.outputs.exists == 'true' }}
-        run: |
-          if git ls-remote --tags origin "${{ steps.extract_version.outputs.release_tag }}" | grep -q "${{ steps.extract_version.outputs.release_tag }}"; then
-            echo "::warning::[Release] Tag ${{ steps.extract_version.outputs.release_tag }} already exists, skipping tag creation"
-          else
-            git tag "${{ steps.extract_version.outputs.release_tag }}"
-            git push origin "${{ steps.extract_version.outputs.release_tag }}"
-            echo "::notice::[Release] Created and pushed tag ${{ steps.extract_version.outputs.release_tag }}"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: check if release already exists
         if: ${{ steps.check_artifact_exists.outputs.exists == 'true' }}
         id: check_release_exists

.github/workflows/set-git-tag.yml

@@ -0,0 +1,80 @@
+name: set git tag
+
+on:
+  workflow_call:
+    inputs:
+      runner:
+        description: "workflow-runner"
+        default: "ubuntu-latest"
+        required: false
+        type: string
+      tool:
+        description: "build tool - uv, npm, yarn, cargo, etc."
+        default: "none"
+        required: false
+        type: string
+      root_dir:
+        description: "path to project root (where the manifest file is)"
+        default: "."
+        required: false
+        type: string
+      artifact_path:
+        description: "path to artifact files (used as fallback for uv version.json)"
+        default: ""
+        required: false
+        type: string
+
+jobs:
+  set_git_tag:
+    name: set git tag
+    runs-on: ${{ inputs.runner }}
+    timeout-minutes: 5
+    permissions:
+      contents: write
+    defaults:
+      run:
+        working-directory: ${{ inputs.root_dir }}
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v6
+
+      - name: extract version from manifest
+        id: extract_version
+        run: |
+          if [[ "${{ inputs.tool }}" == "npm" || "${{ inputs.tool }}" == "yarn" ]]; then
+            VERSION=$(jq -r .version package.json)
+          elif [[ "${{ inputs.tool }}" == "uv" ]]; then
+            if [[ -f pyproject.toml ]]; then
+              VERSION=$(grep -m1 '^version' pyproject.toml | cut -d'"' -f2)
+            elif [[ -f "${{ inputs.artifact_path }}/version.json" ]]; then
+              VERSION=$(jq -r .version "${{ inputs.artifact_path }}/version.json")
+            else
+              echo "::error::[Tag] Cannot find pyproject.toml or version.json for uv project"
+              exit 1
+            fi
+          elif [[ "${{ inputs.tool }}" == "cargo" ]]; then
+            VERSION=$(grep -m1 '^version' Cargo.toml | cut -d'"' -f2)
+          else
+            echo "::notice::[Tag] Unsupported tool '${{ inputs.tool }}' for version extraction, skipping tag"
+            exit 0
+          fi
+
+          if [[ -z "${VERSION}" || "${VERSION}" == "null" ]]; then
+            echo "::warning::[Tag] Could not extract version from manifest (got: '${VERSION}'), skipping tag"
+            exit 0
+          fi
+          echo "release_tag=v${VERSION}" >> $GITHUB_OUTPUT
+          echo "::notice::[Tag] Extracted version: v${VERSION}"
+
+      - name: set git tag if not yet set
+        if: ${{ steps.extract_version.outputs.release_tag != '' }}
+        run: |
+          if git ls-remote --tags origin "${{ steps.extract_version.outputs.release_tag }}" | grep -q "${{ steps.extract_version.outputs.release_tag }}"; then
+            echo "::warning::[Tag] Tag ${{ steps.extract_version.outputs.release_tag }} already exists, skipping tag creation"
+          else
+            git tag "${{ steps.extract_version.outputs.release_tag }}"
+            git push origin "${{ steps.extract_version.outputs.release_tag }}"
+            echo "::notice::[Tag] Created and pushed tag ${{ steps.extract_version.outputs.release_tag }}"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}