Skip to content

chore(ci): validate release tag before staging deployment#440

Merged
FSM1 merged 2 commits into
mainfrom
chore/ci-staging-release-tag-check
Apr 1, 2026
Merged

chore(ci): validate release tag before staging deployment#440
FSM1 merged 2 commits into
mainfrom
chore/ci-staging-release-tag-check

Conversation

@FSM1

@FSM1 FSM1 commented Apr 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds a release tag check in the Resolve main SHA step of the Tag Staging Release workflow
  • Fails fast with a clear error if no release-please tag (cipher-box-v* or @cipherbox/*) exists on main HEAD
  • Prevents staging deployments from unversioned commits without reverting to the old manual tag-selection approach

Test plan

  • Trigger Tag Staging Release workflow — should succeed since current main HEAD has release tags
  • Verify the workflow would fail on a commit without release tags (e.g., after a feature PR merges but before release-please runs)

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • Chores
    • Enhanced release validation process to ensure proper tag requirements are met before deployment.

Prevent staging releases from unversioned commits by checking that a
release-please tag (cipher-box-v* or @cipherbox/*) exists on main HEAD
before proceeding with E2E tests and tag creation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: a120f3a551a3
Copilot AI review requested due to automatic review settings April 1, 2026 14:47
@coderabbitai

coderabbitai Bot commented Apr 1, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@FSM1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 59 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 59 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5e59d2bd-924f-4aee-9df1-fd23137dce11

📥 Commits

Reviewing files that changed from the base of the PR and between 2852132 and 6c93975.

📒 Files selected for processing (1)
  • .github/workflows/tag-staging.yml

Walkthrough

The resolve-main step in the tag-staging workflow now verifies that the main commit has a release tag matching cipher-box-v* or @cipherbox/* before outputting the commit SHA. The job fails if no such tag is found.

Changes

Cohort / File(s) Summary
Workflow Tag Verification
.github/workflows/tag-staging.yml
Added runtime validation in resolve-main step to enforce that main branch commits have required release tags; computes SHA, checks for matching tags, and outputs SHA only if tag exists, otherwise exits with error.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding validation for release tags before staging deployment in the CI workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/ci-staging-release-tag-check

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

Release Preview

No version bumps detected. All changes are in unversioned paths or use exempt commit types.

@codecov

codecov Bot commented Apr 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.32%. Comparing base (fb90ceb) to head (6c93975).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #440      +/-   ##
==========================================
+ Coverage   62.29%   62.32%   +0.02%     
==========================================
  Files         135      135              
  Lines       10085    10085              
  Branches     1051     1053       +2     
==========================================
+ Hits         6282     6285       +3     
+ Misses       3586     3583       -3     
  Partials      217      217              
Flag Coverage Δ
api 84.97% <ø> (+0.05%) ⬆️
api-client 84.97% <ø> (+0.05%) ⬆️
core 84.97% <ø> (+0.05%) ⬆️
crypto 84.97% <ø> (+0.05%) ⬆️
sdk 84.97% <ø> (+0.05%) ⬆️
sdk-core 84.97% <ø> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@FSM1 FSM1 enabled auto-merge (squash) April 1, 2026 14:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a “fail fast” safeguard to the Tag Staging Release workflow so staging tags/deploys only proceed when main HEAD is already associated with a release-please tag, preventing staging deployments from unversioned commits.

Changes:

  • Update Resolve main SHA step to verify main HEAD has an expected release tag before continuing.
  • Emit a clear GitHub Actions error and exit early when no matching tag is present.

Comment thread .github/workflows/tag-staging.yml Outdated
@FSM1 FSM1 disabled auto-merge April 1, 2026 14:51
Expand the release tag pattern to also match component tags like
cipherbox-desktop-v* and cipherbox-tee-worker-v*, since release-please
bumps components independently and a release commit may only carry
component tags without the root cipher-box-v* tag.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 4ad9b646d7d7
@FSM1 FSM1 enabled auto-merge (squash) April 1, 2026 14:56
@FSM1 FSM1 merged commit df6824a into main Apr 1, 2026
26 checks passed
@FSM1 FSM1 deleted the chore/ci-staging-release-tag-check branch April 14, 2026 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants