From bccffe56ceb0f676b72794c4e2bd32f1ccf49d17 Mon Sep 17 00:00:00 2001 From: Mike Landau Date: Sun, 7 Jun 2026 12:29:41 -0700 Subject: [PATCH 1/2] Guard cli-post-release on cli-release success for the same tag cli-post-release runs on the `released` event and promotes the tag to stable in S3. That event can fire even when cli-release failed partway (or a release is published by other means), so gate the publish job on a check that the cli-release workflow for the same commit actually succeeded, using int128/wait-for-workflows-action. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/cli-post-release.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/cli-post-release.yml b/.github/workflows/cli-post-release.yml index 858bbd1de25..0035082d969 100644 --- a/.github/workflows/cli-post-release.yml +++ b/.github/workflows/cli-post-release.yml @@ -11,9 +11,28 @@ permissions: id-token: write # Needed for aws-actions/configure-aws-credentials@v1 jobs: + # Make sure the cli-release workflow that built this tag actually succeeded + # before we promote it to stable. The `released` event can fire even when + # cli-release failed partway (or a release was published by other means), so + # guard against finalizing a broken release. + check-release: + runs-on: ubuntu-latest + steps: + # The `released` event can fire before the cli-release run has finished, + # so wait for it to complete. The action exits with failure if the waited + # workflow failed, which blocks the publish job below. + - name: Wait for cli-release to succeed for this tag + uses: int128/wait-for-workflows-action@v1.76.0 + with: + sha: ${{ github.sha }} + # cli-release is triggered by the tag push, not the release event. + filter-workflow-events: push + filter-workflow-names: cli-release + publish: runs-on: ubuntu-latest environment: release + needs: check-release steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 From 12d7e32fc40143e8aa7e2b45ae67eb191a8f7088 Mon Sep 17 00:00:00 2001 From: Mike Landau Date: Sun, 21 Jun 2026 10:45:18 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Mike Landau --- .github/workflows/cli-post-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cli-post-release.yml b/.github/workflows/cli-post-release.yml index 0035082d969..0cf041d3521 100644 --- a/.github/workflows/cli-post-release.yml +++ b/.github/workflows/cli-post-release.yml @@ -16,6 +16,9 @@ jobs: # cli-release failed partway (or a release was published by other means), so # guard against finalizing a broken release. check-release: + permissions: + actions: read + contents: read runs-on: ubuntu-latest steps: # The `released` event can fire before the cli-release run has finished,