From 6cff6e3d26e8f3f5a901295d5c7d2c1076f8954b Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 19 Mar 2026 17:58:10 +0000 Subject: [PATCH 01/11] feat(ci): add automated dev release workflow --- .github/workflows/build-tauri.yml | 9 +- .github/workflows/build.yml | 9 +- .github/workflows/dev-release.yml | 183 ++++++++++++++++++++++++++++++ 3 files changed, 197 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/dev-release.yml diff --git a/.github/workflows/build-tauri.yml b/.github/workflows/build-tauri.yml index 02c2df728..9d3f7c98f 100644 --- a/.github/workflows/build-tauri.yml +++ b/.github/workflows/build-tauri.yml @@ -51,6 +51,11 @@ jobs: echo "RELEASE=${{ startsWith(github.ref_name, 'v') || github.ref_name == 'master' }}" >> $GITHUB_ENV echo "TAURI_BUILD=true" >> $GITHUB_ENV + - name: Set tag metadata + if: startsWith(github.ref, 'refs/tags/v') + run: | + echo "VERSION_TAG=${GITHUB_REF_NAME}" >> $GITHUB_ENV + - name: Set up Python uses: actions/setup-python@v5 with: @@ -160,7 +165,7 @@ jobs: make dist/notarize fi - mv dist/ActivityWatch.dmg dist/activitywatch-$(scripts/package/getversion.sh)-macos-x86_64.dmg + mv dist/ActivityWatch.dmg dist/activitywatch-${VERSION_TAG:-$(scripts/package/getversion.sh)}-macos-x86_64.dmg env: APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} @@ -242,4 +247,4 @@ jobs: draft: true files: dist/*/activitywatch-*.* body_path: dist/release_notes_tauri/release_notes.md - prerelease: ${{ !(steps.version.outputs.is_stable == 'true') }} + prerelease: true diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 86058b6ff..f7348b0c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -52,6 +52,11 @@ jobs: run: | echo "RELEASE=${{ startsWith(github.ref_name, 'v') || github.ref_name == 'master' }}" >> $GITHUB_ENV + - name: Set tag metadata + if: startsWith(github.ref, 'refs/tags/v') + run: | + echo "VERSION_TAG=${GITHUB_REF_NAME}" >> $GITHUB_ENV + - name: Set up Python uses: actions/setup-python@v5 with: @@ -173,7 +178,7 @@ jobs: # Notarize make dist/notarize fi - mv dist/ActivityWatch.dmg dist/activitywatch-$(scripts/package/getversion.sh)-macos-x86_64.dmg + mv dist/ActivityWatch.dmg dist/activitywatch-${VERSION_TAG:-$(scripts/package/getversion.sh)}-macos-x86_64.dmg env: APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} @@ -270,4 +275,4 @@ jobs: draft: true files: dist/*/activitywatch-*.* body_path: dist/release_notes/release_notes.md - prerelease: ${{ !(steps.version.outputs.is_stable == 'true') }} # must compare to true, since boolean outputs are actually just strings, and "false" is truthy since it's not empty: https://github.com/actions/runner/issues/1483#issuecomment-994986996 + prerelease: true diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml new file mode 100644 index 000000000..0a6969779 --- /dev/null +++ b/.github/workflows/dev-release.yml @@ -0,0 +1,183 @@ +name: Create dev release + +# Create prerelease tags on a schedule (every other Thursday) or manually. +# The existing build workflows already know how to package tag builds and create +# draft GitHub prereleases, so this workflow only needs to decide whether a new +# prerelease is warranted and push the next prerelease tag. + +on: + schedule: + - cron: '0 12 * * 4' + workflow_dispatch: + inputs: + release_line: + description: 'Release line to prerelease from' + required: true + default: patch + type: choice + options: + - patch + - minor + +permissions: + contents: write + +concurrency: + group: dev-release + cancel-in-progress: false + +jobs: + preflight: + name: Pre-flight checks + runs-on: ubuntu-latest + outputs: + should_release: ${{ steps.preflight.outputs.should_release }} + next_tag: ${{ steps.preflight.outputs.next_tag }} + since_ref: ${{ steps.preflight.outputs.since_ref }} + commits_since_ref: ${{ steps.preflight.outputs.commits_since_ref }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: recursive + + - name: Decide whether to create a dev release + id: preflight + env: + GH_TOKEN: ${{ github.token }} + RELEASE_LINE: ${{ github.event.inputs.release_line || 'patch' }} + run: | + set -euo pipefail + + if [ "${GITHUB_EVENT_NAME}" = "schedule" ]; then + week=$(date -u +%V) + if [ $((10#$week % 2)) -eq 1 ]; then + echo "Skipping this week to keep the cadence biweekly." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + fi + + bump_version() { + python3 - "$1" "$2" <<'PY' + import sys + + version = sys.argv[1] + release_line = sys.argv[2] + major, minor, patch = map(int, version.split('.')) + + if release_line == 'minor': + minor += 1 + patch = 0 + else: + patch += 1 + + print(f"{major}.{minor}.{patch}") + PY + } + + latest_stable=$(git tag --sort=-version:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true) + if [ -z "$latest_stable" ]; then + echo "No stable tag found, refusing to create prerelease tags." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + next_base=$(bump_version "${latest_stable#v}" "$RELEASE_LINE") + prerelease_pattern="^v${next_base//./\\.}b[0-9]+$" + last_prerelease=$(git tag --sort=-version:refname | grep -E "$prerelease_pattern" | head -1 || true) + + if [ -n "$last_prerelease" ]; then + since_ref="$last_prerelease" + last_prerelease_num=${last_prerelease##*b} + next_tag="v${next_base}b$((last_prerelease_num + 1))" + else + since_ref="$latest_stable" + next_tag="v${next_base}b1" + fi + + commits_since_ref=$(git rev-list "${since_ref}..HEAD" --count) + echo "latest_stable=$latest_stable" + echo "last_prerelease=${last_prerelease:-}" + echo "since_ref=$since_ref" + echo "next_tag=$next_tag" + echo "commits_since_ref=$commits_since_ref" + + if [ "$commits_since_ref" -eq 0 ]; then + echo "No new commits since $since_ref, skipping dev release." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + head_sha=$(git rev-parse HEAD) + conclusions=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${head_sha}/check-runs" \ + --paginate \ + --jq '[.check_runs[] | select( + .app.slug == "github-actions" and + (.name | test("^Pre-flight checks$|^Create dev release$") | not) + )] | map(.conclusion) | unique | .[]' 2>/dev/null || echo unknown) + + echo "CI conclusions: $conclusions" + + if echo "$conclusions" | grep -qE 'failure|action_required|timed_out'; then + echo "CI has failures on HEAD, skipping dev release." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + if echo "$conclusions" | grep -qE 'null|pending'; then + echo "CI is still running on HEAD, skipping dev release." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + if [ -z "$conclusions" ] || [ "$conclusions" = "unknown" ]; then + echo "CI status unavailable on HEAD, skipping dev release." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + if ! echo "$conclusions" | grep -q 'success'; then + echo "No successful CI checks found on HEAD, skipping dev release." + echo "should_release=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + echo "should_release=true" >> "$GITHUB_OUTPUT" + echo "next_tag=$next_tag" >> "$GITHUB_OUTPUT" + echo "since_ref=$since_ref" >> "$GITHUB_OUTPUT" + echo "commits_since_ref=$commits_since_ref" >> "$GITHUB_OUTPUT" + + create-tag: + name: Create dev release tag + needs: preflight + if: needs.preflight.outputs.should_release == 'true' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: master + fetch-depth: 0 + submodules: recursive + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure git + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + + - name: Create and push prerelease tag + run: | + set -euo pipefail + tag="${{ needs.preflight.outputs.next_tag }}" + git tag -a "$tag" -m "Development prerelease $tag" + git push origin "$tag" + { + echo "## Dev release created" + echo "" + echo "- Tag: \`$tag\`" + echo "- Changes since: \`${{ needs.preflight.outputs.since_ref }}\`" + echo "- Commits: \`${{ needs.preflight.outputs.commits_since_ref }}\`" + echo "" + echo "The existing tag-triggered build workflows will now build artifacts and create/update the draft prerelease." + } >> "$GITHUB_STEP_SUMMARY" From aea076914a3c7579d7d0d4c144dfbc06c7d34ae9 Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 04:03:12 +0000 Subject: [PATCH 02/11] =?UTF-8?q?fix(ci):=20revert=20hardcoded=20prereleas?= =?UTF-8?q?e:=20true=20=E2=80=94=20restore=20conditional=20for=20stable=20?= =?UTF-8?q?releases?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build-tauri.yml | 2 +- .github/workflows/build.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-tauri.yml b/.github/workflows/build-tauri.yml index 9d3f7c98f..0ca965bc5 100644 --- a/.github/workflows/build-tauri.yml +++ b/.github/workflows/build-tauri.yml @@ -247,4 +247,4 @@ jobs: draft: true files: dist/*/activitywatch-*.* body_path: dist/release_notes_tauri/release_notes.md - prerelease: true + prerelease: ${{ !(steps.version.outputs.is_stable == 'true') }} # must compare to true, since boolean outputs are actually just strings, and "false" is truthy since it's not empty: https://github.com/actions/runner/issues/1483#issuecomment-994986996 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f7348b0c9..b6479c94a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -275,4 +275,4 @@ jobs: draft: true files: dist/*/activitywatch-*.* body_path: dist/release_notes/release_notes.md - prerelease: true + prerelease: ${{ !(steps.version.outputs.is_stable == 'true') }} # must compare to true, since boolean outputs are actually just strings, and "false" is truthy since it's not empty: https://github.com/actions/runner/issues/1483#issuecomment-994986996 From 78990e51db2c03c3fe2c5e2305a9ae3088ac55aa Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 08:58:32 +0000 Subject: [PATCH 03/11] fix(ci): handle cancelled CI and use robust self-exclusion filter Address two Greptile review findings: 1. Add `cancelled` and `startup_failure` to the CI failure pattern. Previously, a cancelled CI run would not block a dev release. 2. Replace fragile hardcoded job name strings with check_suite.id filtering. The old filter relied on exact job name matches ("Pre-flight checks", "Create dev release") which would break if jobs were renamed. Now uses GITHUB_RUN_ID to get the current run's check suite ID and exclude all check runs from it. Co-authored-by: Bob --- .github/workflows/dev-release.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 0a6969779..4c185d2ca 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -110,16 +110,23 @@ jobs: fi head_sha=$(git rev-parse HEAD) + + # Get the current workflow run's check suite ID so we can exclude + # our own check runs without relying on fragile job name strings + current_suite_id=$(gh api "repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \ + --jq '.check_suite_id' 2>/dev/null || echo "0") + conclusions=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${head_sha}/check-runs" \ --paginate \ - --jq '[.check_runs[] | select( + --jq --arg suite "$current_suite_id" \ + '[.check_runs[] | select( .app.slug == "github-actions" and - (.name | test("^Pre-flight checks$|^Create dev release$") | not) + ((.check_suite.id | tostring) != $suite) )] | map(.conclusion) | unique | .[]' 2>/dev/null || echo unknown) echo "CI conclusions: $conclusions" - if echo "$conclusions" | grep -qE 'failure|action_required|timed_out'; then + if echo "$conclusions" | grep -qE 'failure|action_required|timed_out|cancelled|startup_failure'; then echo "CI has failures on HEAD, skipping dev release." echo "should_release=false" >> "$GITHUB_OUTPUT" exit 0 From ea344ae84d8259a3bdbaa477ee976d78977c4692 Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 14:17:51 +0000 Subject: [PATCH 04/11] fix(ci): re-enable dependabot submodule updates --- .github/dependabot.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0163c07ee..f9920a703 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,12 +7,11 @@ updates: schedule: interval: "monthly" - # Maintain submodule versions - # NOTE: too noisy, easier to update by hand - #- package-ecosystem: "gitsubmodule" - # directory: "/" - # schedule: - # interval: "monthly" + # Maintain submodule versions so module releases propagate into the meta-repo + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "weekly" # Maintain dependencies for pip/poetry # NOTE: too noisy, easier to update by hand From ef4fb4e3f2c385bc8d4f18676ca8bb2345b0ab8f Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 14:52:36 +0000 Subject: [PATCH 05/11] fix(ci): simplify dev-release tag checkout --- .github/workflows/dev-release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 4c185d2ca..56d712178 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -164,8 +164,7 @@ jobs: - uses: actions/checkout@v4 with: ref: master - fetch-depth: 0 - submodules: recursive + fetch-depth: 1 token: ${{ secrets.GITHUB_TOKEN }} - name: Configure git From fba875baf291c22b8c3e7a1872e5355fa1bafd6d Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 20:22:48 +0000 Subject: [PATCH 06/11] fix(ci): pin dev release tag to verified SHA --- .github/workflows/dev-release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 56d712178..94fec1288 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -35,11 +35,11 @@ jobs: next_tag: ${{ steps.preflight.outputs.next_tag }} since_ref: ${{ steps.preflight.outputs.since_ref }} commits_since_ref: ${{ steps.preflight.outputs.commits_since_ref }} + head_sha: ${{ steps.preflight.outputs.head_sha }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - submodules: recursive - name: Decide whether to create a dev release id: preflight @@ -154,6 +154,7 @@ jobs: echo "next_tag=$next_tag" >> "$GITHUB_OUTPUT" echo "since_ref=$since_ref" >> "$GITHUB_OUTPUT" echo "commits_since_ref=$commits_since_ref" >> "$GITHUB_OUTPUT" + echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT" create-tag: name: Create dev release tag @@ -163,7 +164,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: master + ref: ${{ needs.preflight.outputs.head_sha }} fetch-depth: 1 token: ${{ secrets.GITHUB_TOKEN }} From 05430bb18759071e9898e7f31e45e18874627ef4 Mon Sep 17 00:00:00 2001 From: Bob Date: Fri, 20 Mar 2026 20:50:14 +0000 Subject: [PATCH 07/11] fix(ci): reduce submodule dependabot noise --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f9920a703..052dc5952 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,7 @@ updates: - package-ecosystem: "gitsubmodule" directory: "/" schedule: - interval: "weekly" + interval: "monthly" # Maintain dependencies for pip/poetry # NOTE: too noisy, easier to update by hand From fd27894f880c1dd06dccff492fe4286e8d0b5744 Mon Sep 17 00:00:00 2001 From: Bob Date: Sat, 21 Mar 2026 02:23:23 +0000 Subject: [PATCH 08/11] fix(ci): replace Python heredoc with pure bash for version bump MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The <<'PY' heredoc terminator was indented inside the YAML run: | block. YAML literal blocks strip leading whitespace but heredoc terminators must appear at column 0 in bash (only <<- strips leading tabs, not spaces). Replace with equivalent pure bash arithmetic — no Python dependency needed for simple semver bumping. --- .github/workflows/dev-release.yml | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 94fec1288..0ff097f72 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -59,21 +59,15 @@ jobs: fi bump_version() { - python3 - "$1" "$2" <<'PY' - import sys - - version = sys.argv[1] - release_line = sys.argv[2] - major, minor, patch = map(int, version.split('.')) - - if release_line == 'minor': - minor += 1 - patch = 0 - else: - patch += 1 - - print(f"{major}.{minor}.{patch}") - PY + local version="$1" release_line="$2" + IFS='.' read -r major minor patch <<< "$version" + if [ "$release_line" = "minor" ]; then + minor=$((minor + 1)) + patch=0 + else + patch=$((patch + 1)) + fi + echo "${major}.${minor}.${patch}" } latest_stable=$(git tag --sort=-version:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1 || true) @@ -187,4 +181,4 @@ jobs: echo "- Commits: \`${{ needs.preflight.outputs.commits_since_ref }}\`" echo "" echo "The existing tag-triggered build workflows will now build artifacts and create/update the draft prerelease." - } >> "$GITHUB_STEP_SUMMARY" + } >> "$GITHUB_STEP_SUMMARY" \ No newline at end of file From b109cc59ccf6d4d85506e66c03479fbbbea74027 Mon Sep 17 00:00:00 2001 From: Bob Date: Sat, 21 Mar 2026 10:57:39 +0000 Subject: [PATCH 09/11] fix(ci): fix --jq/--arg flag order, biweekly parity, trailing newline - Move --arg before --jq so gh api receives the correct jq expression instead of consuming '--arg' as the expression (causing silent failure and conclusions always being 'unknown') - Replace ISO week parity with reference-date calculation to avoid 3-week gaps at year boundaries (ISO week resets in Dec/Jan) - Add trailing newline at end of file --- .github/workflows/dev-release.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 0ff097f72..22857f01d 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -50,8 +50,12 @@ jobs: set -euo pipefail if [ "${GITHUB_EVENT_NAME}" = "schedule" ]; then - week=$(date -u +%V) - if [ $((10#$week % 2)) -eq 1 ]; then + # Use a fixed reference Thursday to compute biweekly parity, avoiding + # ISO week resets at year boundaries (which cause a 3-week gap in Dec/Jan). + ref_epoch=$(date -d "2024-01-04" +%s) # a known even-week Thursday + now_epoch=$(date -u +%s) + weeks_since=$(( (now_epoch - ref_epoch) / 604800 )) + if [ $((weeks_since % 2)) -eq 1 ]; then echo "Skipping this week to keep the cadence biweekly." echo "should_release=false" >> "$GITHUB_OUTPUT" exit 0 @@ -112,8 +116,8 @@ jobs: conclusions=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${head_sha}/check-runs" \ --paginate \ - --jq --arg suite "$current_suite_id" \ - '[.check_runs[] | select( + --arg suite "$current_suite_id" \ + --jq '[.check_runs[] | select( .app.slug == "github-actions" and ((.check_suite.id | tostring) != $suite) )] | map(.conclusion) | unique | .[]' 2>/dev/null || echo unknown) @@ -181,4 +185,4 @@ jobs: echo "- Commits: \`${{ needs.preflight.outputs.commits_since_ref }}\`" echo "" echo "The existing tag-triggered build workflows will now build artifacts and create/update the draft prerelease." - } >> "$GITHUB_STEP_SUMMARY" \ No newline at end of file + } >> "$GITHUB_STEP_SUMMARY" From 0f97e217f0d83c938af5a94b19d7e229f1ae093a Mon Sep 17 00:00:00 2001 From: Bob Date: Sat, 21 Mar 2026 11:36:31 +0000 Subject: [PATCH 10/11] fix(ci): add missing permissions and use PAT for tag push - Add actions: read and checks: read to permissions block so the preflight CI gate can call /actions/runs/{id} and /commits/{sha}/check-runs - Switch create-tag checkout from GITHUB_TOKEN to AWBOT_GH_TOKEN so the pushed dev release tag actually triggers build.yml and build-tauri.yml (GITHUB_TOKEN-originated pushes are blocked from spawning new workflow runs) --- .github/workflows/dev-release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 22857f01d..555ed4ca8 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -21,6 +21,8 @@ on: permissions: contents: write + actions: read # needed for /actions/runs/{run_id} (check_suite_id lookup) + checks: read # needed for /commits/{sha}/check-runs concurrency: group: dev-release @@ -164,7 +166,7 @@ jobs: with: ref: ${{ needs.preflight.outputs.head_sha }} fetch-depth: 1 - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.AWBOT_GH_TOKEN }} # PAT required — GITHUB_TOKEN cannot trigger downstream tag-based workflows - name: Configure git run: | From fd5bc44d848e143b6ace2f77b911b2d088e15c56 Mon Sep 17 00:00:00 2001 From: Bob Date: Sat, 21 Mar 2026 11:59:50 +0000 Subject: [PATCH 11/11] fix(ci): add ref: master to preflight checkout to prevent non-master dispatch tags --- .github/workflows/dev-release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 555ed4ca8..b37709653 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -41,6 +41,7 @@ jobs: steps: - uses: actions/checkout@v4 with: + ref: master # explicit: prevent workflow_dispatch from a non-master branch tagging the wrong commit fetch-depth: 0 - name: Decide whether to create a dev release