fix: stop gating sign/release jobs and package version on github.ref for release events#497
Merged
Merged
Conversation
…for release events (CommunityToolkit#495) github.ref/GITHUB_REF was observed empty on 'release: published' events (runs 28783150142 and 27936434216), which silently skipped the sign and release jobs (string-matched against github.ref) and produced a wrong package version (GetBuildVersion fell back to the main-branch build number path). - Gate sign/release on github.event_name instead of github.ref string matching for the release event, while preserving existing behavior for push-to-main and workflow_dispatch manual recovery. - Pass github.event.release.tag_name explicitly into GetBuildVersion for release events instead of relying on $env:GITHUB_REF, so a blank ref can't silently produce a wrong package version.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #495
Summary
The last two releases (
10.1.0and10.1.1) failed to publish signed NuGet packages becausegithub.ref/$env:GITHUB_REFwas empty on therelease: publishedevent — confirmed byte-for-byte in the raw logs of runs 28783150142 and 27936434216:This had two effects in both
build-library.ymlandbuild-template.yml:sign/releasejobs'if:conditions string-matched againstgithub.ref, so they silently skipped instead of failing.GetBuildVersion.psm1fell back to the main-branch build-number path, producing a bogus version (10.0.0-build.54instead of the actual release tag).Changes
In both
build-library.ymlandbuild-template.yml:sign/releaseongithub.event_nameinstead ofgithub.refstring matching. Thereleaseevent no longer depends on ref resolution at all. Existing behavior for push-to-main(signs but doesn't release) andworkflow_dispatchmanual recovery (signs + releases against a dispatched ref) is preserved exactly:github.event.release.tag_nameexplicitly into the version step forreleaseevents, instead of relying on$env:GITHUB_REF, so a blank ref can't silently produce a wrong package version even if the gating logic above weren't fixed.tools/GetBuildVersion.psm1itself is unchanged — the corrected version string is computed at the call site.Scope notes (from discussion on #495)
releasethat hard-fails ongithub.ref_name != github.event.release.tag_name) is deferred, tracked in Add fail-loudly guard to release job once github.ref-on-release-event behavior is confirmed resolved #496. Sincegithub.ref/ref_nameis empty on every observedreleaseevent so far, a literal hard-fail guard risks permanently failing every future release — even after this fix — until it's confirmed whether that emptiness persists (e.g. via a test release like10.1.2) or was transient.Tests and checks run
src//tests/changed, sodotnet build/dotnet testwere not run — this is a CI-workflow-only change (same as the precedent set in build: enable NuGet trusted publishing for release workflows #494).ruby -ryamlparse of both modified files — valid YAML.actionlint(installed locally viabrew install actionlint) run against both files — no new findings introduced. The only reported issues are pre-existingshellcheckinfo-levelSC2086warnings on lines this PR does not touch (confirmed identical, pre-existing onmainbefore this change).main,pull_request,release: published,workflow_dispatchagainst both a tag ref andmain) against the newsign/releaseconditions to confirm behavior is unchanged for push/PR/workflow_dispatch and now correctly non-skipping forreleaseevents regardless ofgithub.ref.Skipped verification
release: publishedrun (the maintainer's comment on release event triggers with an empty github.ref, silently skipping sign/release jobs (broke 10.1.0 and 10.1.1 publishing) #495 mentions testing this via a10.1.2release).Follow-up issues discovered
releasejob once it's confirmed whethergithub.ref/github.ref_namereliably resolves onreleaseevents again.