Require PR approval before release tagging#41
Merged
Conversation
Add a `validate_pr_approved` check to `tag-current-branch` that verifies the release PR has been approved by an org member with write permissions before the tag is created. This prevents tagging a release before the PR is properly reviewed. Made-with: Cursor
This was referenced Mar 20, 2026
Matches the Ruby version used by purchases-ios. Made-with: Cursor
tonidero
approved these changes
Mar 23, 2026
Fixes RC009 lint: complex run step commands must use <<include()>> syntax. Made-with: Cursor
Contributor
|
Your development orb has been published. It will expire in 30 days. |
Made-with: Cursor
Contributor
|
Your development orb has been published. It will expire in 30 days. |
Contributor
|
Your development orb has been published. It will expire in 30 days. |
1 similar comment
Contributor
|
Your development orb has been published. It will expire in 30 days. |
Contributor
|
Your orb has been published to the CircleCI Orb Registry. |
ajpallares
added a commit
to RevenueCat/purchases-hybrid-common
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. Additionally, the repo had a custom `tag-release-branch` job that was copy-pasted from `purchases-ios`, including a wrong `working_directory: ~/purchases-ios`. This PR cleans that up. ## Description - Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job - Replaces the custom `tag-release-branch` job with the orb's `revenuecat/tag-current-branch` (passing `ruby_version: "3.3.0"`), since the custom job was functionally equivalent and had a wrong `working_directory` **Depends on:** RevenueCat/sdks-circleci-orb#41
ajpallares
added a commit
to RevenueCat/react-native-purchases
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41
ajpallares
added a commit
to RevenueCat/purchases-flutter
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes the release/tagging workflow behavior via an orb upgrade, which could block or alter release tagging if the new PR-approval validation misbehaves or is misconfigured. > > **Overview** > Updates the CircleCI `revenuecat/sdks-common-config` orb from `3.13.0` to `3.16.0`, pulling in new behavior for the `revenuecat/tag-current-branch` job (including PR-approval validation) before creating release tags. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 604173c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
ajpallares
added a commit
to RevenueCat/purchases-capacitor
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41
ajpallares
added a commit
to RevenueCat/cordova-plugin-purchases
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41
github-merge-queue Bot
pushed a commit
to RevenueCat/purchases-android
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes the release-tagging workflow behavior by pulling in a newer CircleCI orb; misconfiguration or orb regressions could block or delay release tagging. > > **Overview** > Updates the CircleCI `revenuecat/sdks-common-config` orb from `3.13.0` to `3.16.0`. > > This is intended to add a safeguard to release tagging (via the orb’s `tag-current-branch` job) by validating that the associated release PR has been approved before creating git tags. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1d68cd9. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
ajpallares
added a commit
to RevenueCat/purchases-unity
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41
ajpallares
added a commit
to RevenueCat/purchases-js
that referenced
this pull request
Mar 23, 2026
## Motivation The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created. ## Description Bumps `revenuecat/sdks-common-config` orb to `@3.16.0`, which includes a `validate_pr_approved` step in the `tag-current-branch` job. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. **Depends on:** RevenueCat/sdks-circleci-orb#41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The release workflow currently allows tagging a release branch without verifying that the PR has been reviewed and approved. This adds a safeguard to ensure the release PR is properly approved before the tag is created.
Description
Adds a
validate_pr_approvedstep to thetag-current-branchjob. This verifies the release PR has been approved by an org member with write permissions before the git tag is created. If the PR is not approved, the job fails and the tag is not pushed.This change affects all SDK repos that use the
revenuecat/tag-current-branchorb job.Reference: RevenueCat/purchases-ios#6243
Made with Cursor