fix(update-major-tag): guard major tag push against concurrent rewinds

[bedatty]

GitHub Actions Shared Workflows

---

Description

Fixes a TOCTOU race flagged by CodeRabbit on PR #233 for the floating-major-tag update composite (src/config/update-major-tag/action.yml).

Problem

self-release.yml and release.yml do not define a concurrency: block, so two release runs on main (e.g. back-to-back merges) can overlap. If run A resolves LATEST=v1.26.0 while run B resolves LATEST=v1.27.0 and finishes its push first (moving v1 → def), run A's subsequent git push --force would silently rewind v1 back to abc (v1.26.0). Consumers pinning to @v1 would regress until the next release.

Fix

Replace the unconditional --force with --force-with-lease, reading the current remote SHA via git ls-remote first:

REMOTE_MAJOR_SHA=$(git ls-remote --refs --tags origin "refs/tags/$MAJOR" | awk '{print $1}')
LEASE_SHA="${REMOTE_MAJOR_SHA:-0000000000000000000000000000000000000000}"
git push origin "refs/tags/$MAJOR:refs/tags/$MAJOR" \
  --force-with-lease="refs/tags/$MAJOR:$LEASE_SHA"

If another run advanced $MAJOR between the lease read and the push, the push fails loudly instead of rewinding the tag. The zero-SHA fallback handles the first-ever push (tag not yet present on remote).

Affected file:

• src/config/update-major-tag/action.yml

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None. The lease-based push succeeds in every case the previous unconditional --force did, except when a concurrent run has already advanced the tag — which is exactly the scenario we want to detect and abort.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: Next main release in this repo will exercise the composite end-to-end (self-release.yml is the only caller).

Related Issues

Related to #233 — surfaced by CodeRabbit review on that PR.

Summary by CodeRabbit

• Chores
  • Enhanced the safety of the major tag update workflow by replacing unconditional force push with a lease-based mechanism that validates remote state before pushing, reducing the risk of concurrent conflicts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ab656cc5-8d5c-4be5-93cc-99f30f76dd31

📥 Commits

Reviewing files that changed from the base of the PR and between a714b98 and 3adfa34.

📒 Files selected for processing (1)

• src/config/update-major-tag/action.yml

---

Walkthrough

Replaced forced push operation with lease-based force push for major tag updates. Workflow now queries remote commit SHA for the major tag via git ls-remote, derives lease SHA with zero-value fallback, and uses it to validate expected remote state before push.

Changes

Cohort / File(s)	Summary
Major Tag Push Safety src/config/update-major-tag/action.yml	Switched from git push --force to git push --force-with-lease=refs/tags/$MAJOR:$LEASE_SHA. Added git ls-remote query to fetch current remote commit SHA, fallback to all-zero SHA if tag absent, preventing accidental overwrites of concurrent tag modifications.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: replacing unconditional git push --force with --force-with-lease to prevent concurrent tag rewinds.
Description check	✅ Passed	The description covers all required template sections: problem statement, technical fix with code, affected files, type of change (fix), breaking changes (none), testing verification, and related issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-major-tag-lease

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	1 file(s)	✅ success
Action Lint	no changes	⏭️ skipped
Pinned Actions	1 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	1 file(s)	✅ success
Shell Check	1 file(s)	✅ success
README Check	1 file(s)	✅ success
Composite Schema	1 file(s)	✅ success
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}