fix(release-workflow): use regular merge for dev/main sync after squash-merge

[Wirasm]

Summary

• Problem: The experimental archon-release workflow's sync-dev-with-main and commit-formula steps both used git pull origin main --ff-only to bring dev in line with main after the squash-merge. Fast-forward is impossible across a squash merge (main's squash commit has a different SHA than the release commit on dev), so the workflow aborted at sync-dev-with-main on every release run. commit-formula had a second bug: git checkout main refused while homebrew/archon.rb was still dirty from the prior step.
• Why it matters: The experimental workflow can't complete an end-to-end release. v0.3.10 hit both bugs today.
• What changed:
  • Replace --ff-only in both steps with a regular merge: git pull origin main --no-edit (matches the /release SKILL's Step 9). This creates a merge commit on dev that ties main's squash into dev's history without rewriting anything.
  • Add git stash push to commit-formula before its git checkout main so the dirty homebrew/archon.rb (and any in-progress recovery edits to other tracked files) gets carried across the branch switch instead of blocking it.
• What did NOT change (scope boundary): The workflow's fetch-and-update-formula and commit-formula steps still duplicate CI's update-homebrew job — see bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489 for the full analysis. This PR addresses the mechanical bugs that prevented the workflow from completing at all; the architectural duplication is fixed in bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489.

Why not a "rewrite dev to match main" approach

The first iteration of this fix replaced --ff-only with git reset --hard origin/main && git push --lease. It "worked" in that the workflow completed, but rewriting dev's history broke every open PR targeting dev. Their merge-bases shifted to much older commits, and their diffs ballooned with the release content. Confirmed today on PRs that went from +80/-1 to +6626/-300 across many files. Don't do that.

The regular-merge approach preserves history, costs only a merge bubble in dev's log, and is what the SKILL has always done.

Linked Issue

• Related bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489 — workflow duplicates CI's formula update; the architectural fix.

Validation Evidence

• The v0.3.10 release ran today with the buggy version. Both sync-dev-with-main and commit-formula failed with the exact errors this PR fixes.
• v0.3.10 ultimately shipped via manual Step 10 + Step 11 from the /release SKILL, then verified with /test-release brew 0.3.10 and /test-release curl-mac 0.3.10. All 8 e2e smoke tests also pass on the brew-installed v0.3.10 binary (archon-stable).
• This PR has not been validated by an end-to-end clean release run; that requires the next release to actually exercise it.

Security Impact

• No new permissions/capabilities/network/secrets/fs-scope. Same git operations against the same remotes as before.

Compatibility / Migration

• Backward compatible — applies only to the experimental release workflow YAML, no engine changes.
• No config/env changes, no DB migration.

Human Verification

• Verified scenarios: git pull origin main --no-edit was used during today's recovery to merge main into dev cleanly. The git stash push pattern was applied during recovery as well.
• What was not verified: a clean end-to-end release run with these exact YAML changes in place. v0.3.10 was a recovery, not a clean run.

Side Effects / Blast Radius

• Affected: only .archon/workflows/experimental/archon-release.yaml. No other workflows, no engine, no docs.
• Potential unintended effects: the new git stash push in commit-formula will carry across any tracked-file edits the operator has in flight when the workflow runs. They reappear after git stash pop and remain uncommitted; only homebrew/archon.rb is staged for the formula commit.
• Guardrails: set -euo pipefail in both steps means any sub-command failure aborts the step.

Rollback Plan

• Fast rollback: git revert this commit. The workflow goes back to its pre-PR state, which was already broken.
• No feature flags or schema changes.
• Observable failure symptom: same as today — sync-dev-with-main fails with "Not possible to fast-forward".

Risks and Mitigations

• Risk: dev's git log will accumulate merge bubbles after each release. Some teams prefer linear dev history.
  • Mitigation: the cost is purely cosmetic; rewriting history is strictly worse for open PRs.
• Risk: the duplication with CI's update-homebrew documented in bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489 still exists.
  • Mitigation: the inline comment now explicitly warns about this and points at bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489.

Summary by CodeRabbit

• Chores
  • Improved release workflow stability by switching from fast-forward to merge-based pulls, resolving branch synchronization issues during multi-branch operations.
  • Enhanced Homebrew formula update process with explicit state management to prevent checkout failures and ensure proper formula commit handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow is modified to handle SHA divergence between main and dev branches by switching from fast-forward pulls to merge commits, adding stash operations before checkouts, and restructuring the formula commit strategy to prevent race conditions during CI updates.

Changes

Cohort / File(s)	Summary
Release Workflow Configuration .archon/workflows/experimental/archon-release.yaml	Modified sync and Homebrew commit paths to use merge commits instead of fast-forward pulls, added stash/pop operations around checkout operations, and restructured formula commit to only target homebrew/archon.rb with subsequent dev sync via merge.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related issues

• bug(release-workflow): sync-dev-with-main race-clobbers CI's update-homebrew formula commit #1489: This PR directly addresses the race condition between CI formula commits and the release workflow by switching from fast-forward to merge commits and adding stash operations to prevent checkout refusal when tracked files are dirty.

Poem

🐰 Hop along the branches brave and true,
No more fast-forwards causing SHA divergence anew,
With stashed changes and merges so clean,
The formula flows without a race condition scene,
Dev and main in harmony dance,
Our release workflow stands a better chance! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main fix: replacing fast-forward merges with regular merges to handle squash-merge SHA divergence between dev and main in the release workflow.
Description check	✅ Passed	The description comprehensively covers all required template sections with detailed explanations of the problem, solution, validation, security, compatibility, and rollback plan, with only the Architecture Diagram section left empty (non-critical).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-workflow-squash-merge-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.archon/workflows/experimental/archon-release.yaml:
- Around line 841-846: The workflow currently mutates main by running git
checkout main, committing homebrew/archon.rb and pushing to origin main; change
it to create a new branch (e.g., refs/heads/release-homebrew-$ver or use the
existing dev flow), apply the file changes there, push that branch, and open a
pull request instead of pushing to main, or alternatively invoke the existing
release CI job that has permissions to update main; update the steps that
reference git checkout main, git commit -m "chore(homebrew): update formula to
v$ver", and git push origin main to instead create/checkout a new branch, git
add/commit on that branch, git push origin <branch>, and trigger a PR or the
release CI path so the update flows through dev → main review instead of
mutating main directly.
- Around line 843-846: Before running git commit/push for the Homebrew formula
update, check whether there are staged changes to homebrew/archon.rb and skip
the commit if none exist: after running git add homebrew/archon.rb, run a
staged-diff check (e.g., using git diff --staged --quiet or git diff --cached
--exit-code) and only invoke git commit -m "chore(homebrew): update formula to
v$ver" and git push origin main when that check indicates a non-empty staged
diff; otherwise log/echo that main is already up-to-date and skip the
commit/push steps.
- Around line 650-652: The workflow uses the command "git pull origin main
--no-edit" which can perform a rebase depending on runner config; replace each
occurrence of that command with an explicit fetch followed by a merge (i.e., run
"git fetch origin main" then "git merge --no-edit origin/main") so merge
semantics are forced and deterministic; update both places where "git pull
origin main --no-edit" appears to use this fetch+merge sequence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93dafd82-61b8-4b50-b10f-75c482eb9d76

📥 Commits

Reviewing files that changed from the base of the PR and between fd6d75e and c039482.

📒 Files selected for processing (1)

• .archon/workflows/experimental/archon-release.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does git pull origin main --no-editstill honorpull.rebase/branch..rebase, and is git fetch origin main && git merge --no-edit FETCH_HEAD(orgit pull --no-rebase) the correct way to force a merge commit?

💡 Result:

No, git pull origin main --no-edit still honors pull.rebase or branch.main.rebase configurations. The --no-edit option only affects whether an editor is opened for the merge commit message during a merge (it is passed to git merge); it does not override the rebase/merge decision made by pull.rebase (true/false) or --rebase/--no-rebase. If pull.rebase is true (or branch.main.rebase is true), git pull origin main --no-edit will fetch and then rebase onto origin/main (non-interactively, without editing rebase messages if applicable), not create a merge commit. Yes, git fetch origin main && git merge --no-edit FETCH_HEAD (or equivalently git pull origin main --no-rebase --no-edit) is the correct way to force a merge commit (accepting the auto-generated message without editing). This performs fetch + merge (skipping editor), overriding any rebase configuration.

Citations:

• 1: https://git-scm.com/docs/git-pull/2.32.0.html
• 2: https://www.kernel.org/pub/software/scm/git/docs/git-pull.html
• 3: https://git-scm.com/docs/git-pull/2.35.0.html
• 4: https://github.com/git/git/blob/e0bfec3dfc356f7d808eb5ee546a54116b794397/Documentation/git-pull.adoc
• 5: https://git-scm.com/docs/git-merge.html
• 6: https://git-scm.com/docs/git-pull.html

---

Use explicit fetch + merge to ensure deterministic merge behavior.

Lines 651 and 852 use git pull origin main --no-edit, which still respects pull.rebase and branch.*.rebase configurations. On runners configured for rebase pulls, this produces a rebase instead of a merge commit, undoing the intended sync behavior. Use git fetch + git merge --no-edit to force merge semantics:

Suggested change

       git checkout dev
-      git pull origin main --no-edit
+      git fetch origin main --quiet
+      git merge --no-edit FETCH_HEAD
       git push origin dev

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	git checkout dev
	git pull origin main --ff-only --quiet
	git pull origin main --no-edit
	git push origin dev
	git checkout dev
	git fetch origin main --quiet
	git merge --no-edit FETCH_HEAD
	git push origin dev

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.archon/workflows/experimental/archon-release.yaml around lines 650 - 652,
The workflow uses the command "git pull origin main --no-edit" which can perform
a rebase depending on runner config; replace each occurrence of that command
with an explicit fetch followed by a merge (i.e., run "git fetch origin main"
then "git merge --no-edit origin/main") so merge semantics are forced and
deterministic; update both places where "git pull origin main --no-edit" appears
to use this fetch+merge sequence.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid mutating main from this workflow.

This block still checks out main, commits on it, and pushes directly to it. That bypasses the repo’s documented dev → main flow and keeps formula updates outside the normal review path. Prefer routing the formula update through a PR or handing it off entirely to the existing release CI path.

Based on learnings: Never commit directly to main branch; main is the release branch, dev is the working branch; all feature work branches off dev and merges back to dev.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.archon/workflows/experimental/archon-release.yaml around lines 841 - 846,
The workflow currently mutates main by running git checkout main, committing
homebrew/archon.rb and pushing to origin main; change it to create a new branch
(e.g., refs/heads/release-homebrew-$ver or use the existing dev flow), apply the
file changes there, push that branch, and open a pull request instead of pushing
to main, or alternatively invoke the existing release CI job that has
permissions to update main; update the steps that reference git checkout main,
git commit -m "chore(homebrew): update formula to v$ver", and git push origin
main to instead create/checkout a new branch, git add/commit on that branch, git
push origin <branch>, and trigger a PR or the release CI path so the update
flows through dev → main review instead of mutating main directly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Skip the commit when main is already up to date.

This path still overlaps the separate Homebrew-update flow. If main already has the same homebrew/archon.rb by the time Line 844-Line 846 run, git commit exits non-zero on an empty index and the release fails even though the repo is already in the desired state. Guard the commit/push with a staged-diff check.

Suggested change

       git stash pop
       git add homebrew/archon.rb
-      git commit -m "chore(homebrew): update formula to v$ver"
-      git push origin main
+      if git diff --cached --quiet; then
+        echo "Formula already up to date on main"
+      else
+        git commit -m "chore(homebrew): update formula to v$ver"
+        git push origin main
+      fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.archon/workflows/experimental/archon-release.yaml around lines 843 - 846,
Before running git commit/push for the Homebrew formula update, check whether
there are staged changes to homebrew/archon.rb and skip the commit if none
exist: after running git add homebrew/archon.rb, run a staged-diff check (e.g.,
using git diff --staged --quiet or git diff --cached --exit-code) and only
invoke git commit -m "chore(homebrew): update formula to v$ver" and git push
origin main when that check indicates a non-empty staged diff; otherwise
log/echo that main is already up-to-date and skip the commit/push steps.