ci(repo): guard release workflow against stale-SHA runs#8591
ci(repo): guard release workflow against stale-SHA runs#8591jacekradko wants to merge 4 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: c9ccf72 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR exposes the Changesets step result as a release job output, adds a guard step that fetches origin/main and exits when the run's HEAD is superseded, removes the inline downstream-recovery step from the release job, and adds a conditional Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-recovery.yml:
- Around line 30-34: The checkout step ("name: Checkout repo" using
actions/checkout@v4) must be pinned to the main branch so the workflow always
reads package versions from main; update the checkout step to include ref: main
under its with block (i.e., add a "ref: main" setting for the
actions/checkout@v4 invocation) so workflow_dispatch runs don't use arbitrary
refs.
In @.github/workflows/release.yml:
- Around line 60-68: The step "Ensure HEAD is origin/main" currently uses exit 1
to skip stale runs which fails the job; change this to emit a step output (e.g.,
set a "stale" output via the GITHUB_OUTPUT file) and exit successfully instead
of exiting 1. Concretely, in the same step (id it e.g., ensure_head), when
local_sha != remote_sha echo the notice, write "stale=true" to $GITHUB_OUTPUT
and exit 0; otherwise write "stale=false". Then gate downstream steps with an if
condition that checks steps.ensure_head.outputs.stale == 'false' so stale runs
complete successfully without failing the job.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 544ead69-3773-4288-ac35-026396ce30aa
📒 Files selected for processing (3)
.changeset/clean-deer-march.md.github/workflows/release-recovery.yml.github/workflows/release.yml
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)
120-120:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winSync comment references removed step.
The inline "Recover downstream notifications" step was removed and replaced by
release-recovery.yml. Update the comment to reference the correct location.📝 Suggested fix
- // NOTE: Keep in sync with the `targets` array in the "Recover downstream notifications" step below. + // NOTE: Keep in sync with the `targets` array in release-recovery.yml🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml at line 120, Update the inline comment that currently references the removed "Recover downstream notifications" step so it points to the new workflow file `release-recovery.yml`; locate the comment string "// NOTE: Keep in sync with the `targets` array in the \"Recover downstream notifications\" step below." and change the text to reference `release-recovery.yml` (and its `targets` array) instead of the removed step so the note stays accurate.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/release.yml:
- Line 120: Update the inline comment that currently references the removed
"Recover downstream notifications" step so it points to the new workflow file
`release-recovery.yml`; locate the comment string "// NOTE: Keep in sync with
the `targets` array in the \"Recover downstream notifications\" step below." and
change the text to reference `release-recovery.yml` (and its `targets` array)
instead of the removed step so the note stays accurate.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 9e845213-106d-43ff-8904-e0f010ee642d
📒 Files selected for processing (2)
.github/workflows/release-recovery.yml.github/workflows/release.yml
1 participant
On 2026-05-18 the production release workflow failed because it ran on an older Version-packages commit after a newer one had already shipped:
changeset publishwas a no-op,git pushfailed non-fast-forward, the inline recovery step fired, and Slack got an alert for a no-op release.This adds a guard step that fetches
origin/mainand cancels the run if HEAD has been superseded, so the older run is stopped before build instead of grinding through to a confusing push error. Cancelling (rather than failing) matches whatconcurrency: cancel-in-progresswould produce, so the Actions UI reads accurately.The downstream-dispatch recovery logic also moves into a reusable workflow at
.github/workflows/release-recovery.yml(triggers:workflow_call+workflow_dispatch). Thereleasejob exposes the changesets step's conclusion as a job output, and a dependentrecoverjob invokes the reusable workflow with the same gating condition as the old inline step. That also gives us a manual entry point (gh workflow run release-recovery.yml) so re-firing downstream dispatches no longer requires re-running a stale release.