Signed tags incorrectly checked out

[danielrbradley]

When pushing a signed tag (or possibly any other tag object), the checked out tag ref points directly to the commit hash rather than the tag object.

Impact: unable to perform additional git commands as tree is out of sync.

Example workflow with issue

1. Create and push signed tag. Creates something like:

   $ cat .git/refs/tags/v1.0.0
   6d516f7003b7db4f2a6e3a15332f23afa3e4e7f9
   $ git cat-file -t 6d516f7003b7db4f2a6e3a15332f23afa3e4e7f9
   tag
   $ git cat-file -p 6d516f7003b7db4f2a6e3a15332f23afa3e4e7f9
   object 3f7352e5bd0ac4ad07bb64964d96b411a29d769b:refs
   type commit
   tag v1.0.0
   tagger Author Name <author@company.example> 1638969265 +0000

2. Use checkout action during workflow running based on the tag push trigger:

   "on":
     push:
       tags:
         - v*.*.*
   ...
   steps:
     - name: Checkout Repo
       uses: actions/checkout@v2

3. Source is fetched using a command such as:

   /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +3f7352e5bd0ac4ad07bb64964d96b411a29d769b:refs/tags/v1.0.0

4. The tag is now out of sync with the remote. If a command tries to sync the tag it will fail e.g.

   $ git fetch --prune --unshallow --tags
   ! [rejected]        v1.0.0     -> v1.0.0  (would clobber existing tag)
   $ cat .git/refs/tags/v1.0.0
   3f7352e5bd0ac4ad07bb64964d96b411a29d769b

Note: this might in fact affect any tag which creates a tag object rather than a direct referent to the commit object.

[joao-conde]

Was this fixed? Is it available for version 1 of this action?

[dustin-ruetz]

I encountered this (would clobber existing tag) error today but I was able to work around it by using Git's lightweight tags as opposed to annotated tags. The latter are stored as full objects in the Git database and this is what causes the problem (as @danielrbradley mentioned in the original issue comment).

💡 For future reference in case this helps someone else:

1. I was working with an initial v0.0.0 placeholder tag that was created as an annotated tag using the git tag -a v0.0.0 -m "initial release" command.
2. When actions/checkout@v4 failed with the (would clobber existing tag) error, I deleted this annotated tag from both my local repo (git tag -d v0.0.0) and the remote repo (git push origin --delete v0.0.0).
3. I then re-created the tag as a lightweight tag using the git tag v0.0.0 command.
4. I pushed the lightweight tag to the remote repo with the git push origin --tags command and confirmed that the git fetch --prune --unshallow --tags command did not error out in the action run ✅

[linux4life798]

Wow, I can't believe this issue still exists.

TL;DR If you are using annotated/signed tags and have GitHub release/tag builders that depend on git describe working correctly, you need to add ref: ${{ github.ref }} to your normal GitHub Checkout action.

So, your checkout step might look like the following:

      - name: Checkout repository
        uses: actions/checkout@v4
        # Unfortunately, `git describe` will not function correctly if this
        # action is triggered by an annotated tag, unless we force it to fetch
        # ${{ github.ref }}.
        with:
          fetch-depth: 0
          fetch-tags: true
          ref: ${{ github.ref }}

Thanks @danielrbradley and @rzr for rzr@e0a2428.