fix(update-major-tag): freeze lease from post-fetch local ref

[bedatty]

GitHub Actions Shared Workflows

---

Description

Follow-up to PR #235. CodeRabbit flagged a critical flaw in that first lease implementation (comment on PR #233, line 73): reading the lease from git ls-remote immediately before the push defeats the protection.

The race the old code allowed

1. Run A fetches tags, decides LATEST=v1.26.0, reaches the push step.
2. Run B fetches, decides LATEST=v1.27.0, and force-pushes v1 → SHA_NEW first.
3. Run A then calls git ls-remote for refs/tags/v1 and reads back SHA_NEW (B's value).
4. Run A uses SHA_NEW as its lease — which matches the server — so the server accepts A's push, rewinding v1 to SHA_OLD.

The fix anterior só "parecia" proteger; o lease sempre convergia com o valor servidor no momento do push.

Fix

Capture the lease once, right after the initial git fetch --tags --force --prune, from the local ref via git rev-parse "refs/tags/$MAJOR". This freezes the lease to the state we observed when making the decision to push. If any other run updates $MAJOR between our fetch and our push, the server's value no longer matches our frozen lease and the push aborts — exactly the desired semantics.

Also switched from git rev-list -n1 (commit SHA) to git rev-parse (ref SHA) for the lease, since --force-with-lease compares ref values — for annotated tags those differ.

Affected file:

• src/config/update-major-tag/action.yml

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None. The zero-SHA fallback for the first-ever tag creation is preserved.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: Next main release on this repo will exercise the composite end-to-end.

Related Issues

Corrects #235 — surfaced by CodeRabbit critical-severity review on PR #233.

Summary by CodeRabbit

• Chores
  • Optimized tag update workflow for improved reliability and performance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f78184aa-a491-47c7-8426-b0f2d239a68c

📥 Commits

Reviewing files that changed from the base of the PR and between 66e40fa and e1068e8.

📒 Files selected for processing (1)

• src/config/update-major-tag/action.yml

---

Walkthrough

The composite action now captures the current major tag reference locally after the initial git fetch and uses this snapshot as the --force-with-lease anchor instead of re-querying the remote. This eliminates an extra git ls-remote call and anchors the lease guard to the post-fetch state rather than the live remote state at push time.

Changes

Cohort / File(s)	Summary
Tag lease strategy src/config/update-major-tag/action.yml	Replaced remote-derived lease computation (REMOTE_MAJOR_SHA via git ls-remote) with locally captured major tag reference (CURRENT_MAJOR_REF). Removes remote re-query and shifts lease anchoring from live remote state at push time to post-fetch state at initialization.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• fix(update-major-tag): guard major tag push against concurrent rewinds #235: Modifies the same update-major-tag action to guard tag push with --force-with-lease using remote SHA.

Suggested labels

size/XS

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly describes the core fix: freezing the lease mechanism from a post-fetch local ref instead of a remote query.
Description check	✅ Passed	Description fully covers the race condition root cause, the fix rationale, affected files, testing performed, and related issues. All critical sections are complete.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-major-tag-lease-snapshot

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	1 file(s)	✅ success
Action Lint	no changes	⏭️ skipped
Pinned Actions	1 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	1 file(s)	✅ success
Shell Check	1 file(s)	✅ success
README Check	1 file(s)	✅ success
Composite Schema	1 file(s)	✅ success
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}