Skip to content

ci: release by tag-only publish (no commit to ruleset-protected main)#8

Merged
uipreliga merged 1 commit into
mainfrom
ci/release-pypi-no-main-push
Jul 9, 2026
Merged

ci: release by tag-only publish (no commit to ruleset-protected main)#8
uipreliga merged 1 commit into
mainfrom
ci/release-pypi-no-main-push

Conversation

@uipreliga

Copy link
Copy Markdown
Collaborator

Problem

The Release run failed pushing the version-bump commit to main:

remote: error: GH013: Repository rule violations found for refs/heads/main.

main is protected by a repository ruleset ("Protect main": pull_request + required_status_checks), which the semantic-release direct push violates. (Classic branch-protection API reports "not protected" because rulesets are a separate mechanism.) The original design bypassed this with a GitHub App whose secrets are missing.

Approach

Decouple releasing from the main commit entirely — no bypass actor / App needed:

  • Version is read from pyproject.toml (bumped via a normal PR, which the ruleset already requires) — the workflow never rewrites it.
  • Guard: refuse to run if v<version> already exists (forgotten-bump protection; PyPI versions are immutable).
  • Build → publish to PyPI + Azure feed + GHCR, then push only the v<version> git tag (tags are outside the branch ruleset).
  • Drops semantic-release, the uv.lock amend, and the push to main.

Net −70/+43 lines.

New release flow

  1. Bump version in pyproject.toml (+ src/coder_eval/__init__.py) via a PR.
  2. Actions → Release (no inputs) → publishes whatever version main declares + pushes its tag.

First release will publish 0.8.2 (current main version, unclaimed on PyPI).

🤖 Generated with Claude Code

The Release run failed pushing the version-bump commit to main:
`GH013: Repository rule violations` — main is protected by a ruleset
("Protect main": PRs required + status checks), which the semantic-release
direct push violates. Rather than depend on a bypass actor / GitHub App,
decouple releasing from the main commit:

- Version is read from pyproject.toml (bumped via a normal PR, which the
  ruleset already requires), not written by the workflow.
- Refuse to run if `v<version>` already exists (forgotten bump guard).
- Build + publish to PyPI + Azure feed + GHCR, then push ONLY the
  `v<version>` git tag (tags are outside the branch ruleset).
- Drop semantic-release, the uv.lock amend, and the push to main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @uipreliga's task in 1m 47s —— View job


Reviewing PR: Release by tag-only publish

Todo List:

  • Read code review guidelines from .github/code_review.md
  • Read project conventions from CLAUDE.md
  • Examine the full diff (git diff origin/main...HEAD)
  • Read the full workflow file for context
  • Analyze for correctness and potential issues
  • Check cross-file consistency
  • Identify what's missing
  • Post comprehensive review feedback

Starting review now...

@uipreliga uipreliga merged commit 4bd3c6a into main Jul 9, 2026
14 checks passed
@uipreliga uipreliga deleted the ci/release-pypi-no-main-push branch July 9, 2026 10:35
akshaylive added a commit that referenced this pull request Jul 9, 2026
Effectively reverts #8 (tag-only, manual-bump release). The release app has
been re-added with a ruleset bypass, so the workflow can once again push the
version-bump commit + tag directly to protected main.

- Restore the `bump` dispatch input (patch/minor/major, default patch).
- Mint a GitHub App installation token and checkout/push as the app (bypasses
  the "Protect main" ruleset that GITHUB_TOKEN cannot).
- semantic-release writes the new version to pyproject.toml + __init__.py,
  tags v<version>, regenerates the changelog, then we regenerate uv.lock,
  amend, and push commit + tag to main.
- Drop the manual-bump re-release guard and the separate tag-release job
  (the tag now travels with the bump commit).

Public PyPI publishing (OIDC Trusted Publishing) and the best-effort GHCR
image are kept.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant