Skip to content

fix(ci): fetch-tags on tag-introspection checkouts so signed annotated tags pass#532

Open
branarakic wants to merge 1 commit into
mainfrom
fix/ci-fetch-tags-on-tag-introspection
Open

fix(ci): fetch-tags on tag-introspection checkouts so signed annotated tags pass#532
branarakic wants to merge 1 commit into
mainfrom
fix/ci-fetch-tags-on-tag-introspection

Conversation

@branarakic
Copy link
Copy Markdown
Contributor

@branarakic branarakic commented May 15, 2026

Summary

The release.yml Validate release candidate job and the npm-publish.yml Require signed annotated tag job both rely on git cat-file -t <tag> returning tag for annotated tags. They use actions/checkout@v4 to materialise the tag, but without fetch-tags: true — which means the runner gets a synthetic lightweight ref pointing at the commit, not the tag-object.

So git cat-file -t v10.0.0-rc.8 returns commit instead of tag, and the structural signed-tag gate rejects the (correctly signed) tag with:

Tag v10.0.0-rc.8 is a lightweight ref (git object type \`commit\`), not an annotated tag.
Lightweight tags cannot carry a signature.

This was the failure mode on the v10.0.0-rc.8 push earlier today (release.yml run 25943282274). The tag was correctly created with git tag -sgit ls-remote shows it as a tag object whose ^{} peels to the merge commit on main, and the body contains the expected -----BEGIN SSH SIGNATURE----- block.

Author intent is unambiguous

From release.yml lines 100–124:

LAYER 1 (HARD GATE) — structural signed-tag detection. […] We CAN reliably detect whether the tag is signed AT ALL: a signed annotated tag's object body always contains a PGP/SSH signature block. An unannotated ("lightweight") tag has no object body — it is just a ref to a commit. Either case is rejected here.

The gate is supposed to PASS legitimately-signed annotated tags. The bug is purely the missing fetch-tags: true.

Change

14 lines, in two places:

  • release.yml Validate release candidate checkout (line 53–60)
  • npm-publish.yml Require signed annotated tag checkout (line 226–230)

Both gain fetch-tags: true plus a 6-line comment explaining why the option matters.

No version bump (workflow-only change). No test changes (these are CI gates that fire only on tag pushes).

Other checkouts in these workflows

Audited:

  • release.yml line 281 (Build MarkItDown binary): doesn't read tag annotation, no change needed.
  • release.yml line 428 (Build, test, and create release): uses --notes-file release_notes.md (sourced from CHANGELOG.md), not the tag annotation; doesn't need fetch-tags.
  • npm-publish.yml line 284 (build-and-pack): only reads .nvmrc and package.json; doesn't need fetch-tags.

So the minimal correct fix is exactly these two checkouts.

Test plan

  • Diff is workflow-only (.github/workflows/)
  • No package.json versions touched
  • Audited every other actions/checkout in both workflows for the same bug
  • CI passes on this PR (no tag pushes triggered, so the relevant gates won't fire here — they fire on the next tag push)
  • After merge: delete v10.0.0-rc.8 (local + remote), re-tag against new main HEAD, push → release.yml passes structural gate → reviewer approves npm-publish Environment → publish completes

Why this didn't fire before

v10.0.0-rc.7 and earlier went through the OLD continuous-publish-on-merge flow. PR #522 introduced the new tag-triggered flow with this signed-tag gate, and v10.0.0-rc.8 is the first tag pushed under it — first time the bug was exercised.

Made with Cursor

@cursoragent
fix(ci): fetch-tags on tag-introspection checkouts so signed annotate…
2b93226 
…d tags pass

The `Validate release candidate` job in `release.yml` and the `Require
signed annotated tag` job in `npm-publish.yml` both use `actions/checkout`
to materialise the pushed tag, then run `git cat-file -t <tag>` to verify
the tag is annotated (and `git cat-file -p <tag>` to grep for a PGP/SSH
signature block).

`actions/checkout@v4` does not fetch annotated tag OBJECTS by default —
it materialises the tag as a synthetic lightweight ref pointing at the
commit. So `git cat-file -t <tag>` returns `commit` instead of `tag`,
and the structural signed-tag gate rejects legitimately signed tags
with "Tag is a lightweight ref ... lightweight tags cannot carry a
signature".

This was the failure mode on `v10.0.0-rc.8`: the tag was correctly
created with `git tag -s` (annotated, SSH-signed) and `git ls-remote`
on the remote shows it as a tag object whose `^{}` peels to the merge
commit. But the workflow's runner saw it as lightweight because
`fetch-tags: true` was missing from the checkout.

Setting `fetch-tags: true` makes actions/checkout actually download the
annotated tag object alongside the commit, so `git cat-file -t` returns
the expected `tag` and the signature-block grep can read the body.

Author intent (from the existing comments in release.yml around line 100)
is unambiguous: the structural check is meant to PASS for annotated
signed tags and only REJECT lightweight or unsigned tags. This fix
restores that intended behaviour.

Co-authored-by: Cursor <cursoragent@cursor.com>
github-actions[bot]
github-actions Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex review completed — no issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@Jurij89 Jurij89 Awaiting requested review from Jurij89 Jurij89 is a code owner

@zsculac zsculac Awaiting requested review from zsculac zsculac is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@branarakic