ci: fix release tagging on protected main#9
Conversation
… excludes; docs + skill; tests to 100% coverage
| - name: Create tag | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||
| git add Cargo.toml | ||
| git commit -m "chore: bump version to ${{ steps.bump.outputs.version }}" | ||
| echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT | ||
| if git ls-remote --tags origin "refs/tags/${{ steps.bump.outputs.tag }}" | grep -q "${{ steps.bump.outputs.tag }}"; then | ||
| echo "::error::Tag ${{ steps.bump.outputs.tag }} already exists on origin" | ||
| exit 1 | ||
| fi | ||
| git tag -a "${{ steps.bump.outputs.tag }}" -m "Release ${{ steps.bump.outputs.tag }}" | ||
| git push origin main --follow-tags | ||
| git push origin "${{ steps.bump.outputs.tag }}" |
There was a problem hiding this comment.
🔴 Release workflow no longer updates Cargo.toml version, causing built binaries to always report stale version
The PR removes the "Update Cargo.toml" and "Commit and tag" steps from the release workflow (release.yml:106-116 old lines), but the binary's version string is derived from Cargo.toml at compile time via #[command(version)] in src/main.rs:14. Since Cargo.toml permanently stays at version = "0.1.1", every future release binary will report 0.1.1 when users run code-scan --version, regardless of the actual git tag (e.g. v0.2.0, v1.0.0).
Root Cause
The old workflow updated Cargo.toml before building:
# OLD (removed)
- name: Update Cargo.toml
run: sed -i 's/^version = ".*"/version = "${{ steps.bump.outputs.version }}"/' Cargo.toml
- name: Commit and tag
run: |
git commit ...
git push origin main --follow-tagsThe new workflow only creates and pushes a tag on the existing HEAD — Cargo.toml is never modified. The build job checks out ref: ${{ needs.create-tag.outputs.tag }} which points to the same commit where Cargo.toml still says version = "0.1.1". Clap's #[command(version)] at src/main.rs:14 reads CARGO_PKG_VERSION which is set at compile time from Cargo.toml.
Impact: Every released binary will display code-scan 0.1.1 regardless of the actual release version. Users and tooling relying on --version output will get incorrect information.
Prompt for agents
In .github/workflows/release.yml, the build job (around line 150) needs to set the correct version before running cargo build. Since you cannot push to protected main, you can override the version at build time using an environment variable. Add a step before the Build step in the build job that updates Cargo.toml in the checked-out working copy (without committing):
In the build job, before the 'Build' step (around line 151), add:
- name: Set version
run: sed -i 's/^version = ".*"/version = "${{ needs.create-tag.outputs.version }}"/' Cargo.toml
Note: on macOS (macos-latest), sed -i requires a different syntax. Use:
run: sed -i'' -e 's/^version = ".*"/version = "${{ needs.create-tag.outputs.version }}"/' Cargo.toml
Or use a cross-platform approach. This ensures the binary reports the correct version without needing to push changes to the protected main branch.
Was this helpful? React with 👍 or 👎 to provide feedback.
Fix release workflow to derive next version from latest git tag and fail early if target tag already exists. Also keeps tag-only push (no direct push to protected main).