Harden release flow for stale tags and tap update failures

2026-04-21 13:27:16 +00:00 · 2026-02-19 11:45:00 +01:00 · 2026-02-19 11:45:00 +01:00 · d8a38b647d
commit d8a38b647d
parent be4bf7dcfc
3 changed files with 19 additions and 3 deletions
--- a/.github/workflows/release-notarized.yml
+++ b/.github/workflows/release-notarized.yml
@ -193,7 +193,7 @@ jobs:

          if gh release view "$TAG_NAME" >/dev/null 2>&1; then
            gh release upload "$TAG_NAME" Neon.Vision.Editor.app.zip --clobber
-            gh release edit "$TAG_NAME" --title "Neon Vision Editor $TAG_NAME" --notes-file release-notes.md
+            gh release edit "$TAG_NAME" --title "Neon Vision Editor $TAG_NAME" --notes-file release-notes.md --draft=false
          else
            gh release create "$TAG_NAME" Neon.Vision.Editor.app.zip \
              --title "Neon Vision Editor $TAG_NAME" \
@ -239,6 +239,7 @@ jobs:
            --label "release-alert"

      - name: Trigger homebrew-tap update
+        continue-on-error: true
        env:
          GH_TOKEN: ${{ secrets.TAP_BOT_TOKEN }}
          TAG_NAME: ${{ inputs.tag }}
--- a/Editor.xcodeproj/project.pbxproj
+++ b/Editor.xcodeproj/project.pbxproj
@ -358,7 +358,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 274;
+				CURRENT_PROJECT_VERSION = 275;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;
@ -439,7 +439,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 274;
+				CURRENT_PROJECT_VERSION = 275;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;
--- a/scripts/release_all.sh
+++ b/scripts/release_all.sh
@ -353,6 +353,20 @@ if [[ "$DRY_RUN" -eq 1 ]]; then
  exit 0
 fi

+assert_tag_matches_head() {
+  local tag_name="$1"
+  local tag_sha head_sha
+  tag_sha="$(git rev-parse "${tag_name}^{commit}")"
+  head_sha="$(git rev-parse HEAD)"
+  if [[ "$tag_sha" != "$head_sha" ]]; then
+    echo "Tag ${tag_name} exists but does not point to HEAD." >&2
+    echo "  tag:  ${tag_sha}" >&2
+    echo "  head: ${head_sha}" >&2
+    echo "Use --retag to repoint the tag before notarized release." >&2
+    exit 1
+  fi
+}
+
 if step_enabled prep; then
  if git rev-parse "$TAG" >/dev/null 2>&1; then
    if [[ "$RETAG" -eq 1 ]]; then
@ -360,6 +374,7 @@ if step_enabled prep; then
      git tag -d "$TAG" >/dev/null 2>&1 || true
      git push origin ":refs/tags/${TAG}" >/dev/null 2>&1 || true
    else
+      assert_tag_matches_head "$TAG"
      echo "Tag ${TAG} already exists. Skipping release prep. Use --retag to recreate it."
      if [[ "$(git branch --show-current)" == "main" ]]; then
        git push origin main