From f296fb50839a3bb709fb0fd6e625b8705634c9e9 Mon Sep 17 00:00:00 2001 From: Matthias Dellweg Date: Tue, 7 Apr 2026 16:29:07 +0200 Subject: [PATCH] Harden the release workflow Don't push the release tag if the branch wasn't updated containing the tagged commit. --- templates/github/.github/workflows/scripts/release.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/github/.github/workflows/scripts/release.sh b/templates/github/.github/workflows/scripts/release.sh index a08353cd..c980dd9b 100755 --- a/templates/github/.github/workflows/scripts/release.sh +++ b/templates/github/.github/workflows/scripts/release.sh @@ -24,4 +24,6 @@ towncrier build --yes --version "${NEW_VERSION}" bump-my-version bump release --commit --message "Release {new_version}" --tag --tag-name "{new_version}" --tag-message "Release {new_version}" --allow-dirty bump-my-version bump patch --commit -git push origin "${BRANCH}" "${NEW_VERSION}" +# Git push is not atomic. And we want this to fail if the branch could not be updated. +git push origin "${BRANCH}" +git push origin "${NEW_VERSION}"