From bccffe56ceb0f676b72794c4e2bd32f1ccf49d17 Mon Sep 17 00:00:00 2001 From: Mike Landau Date: Sun, 7 Jun 2026 12:29:41 -0700 Subject: [PATCH] Guard cli-post-release on cli-release success for the same tag cli-post-release runs on the `released` event and promotes the tag to stable in S3. That event can fire even when cli-release failed partway (or a release is published by other means), so gate the publish job on a check that the cli-release workflow for the same commit actually succeeded, using int128/wait-for-workflows-action. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/cli-post-release.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/cli-post-release.yml b/.github/workflows/cli-post-release.yml index 858bbd1de25..0035082d969 100644 --- a/.github/workflows/cli-post-release.yml +++ b/.github/workflows/cli-post-release.yml @@ -11,9 +11,28 @@ permissions: id-token: write # Needed for aws-actions/configure-aws-credentials@v1 jobs: + # Make sure the cli-release workflow that built this tag actually succeeded + # before we promote it to stable. The `released` event can fire even when + # cli-release failed partway (or a release was published by other means), so + # guard against finalizing a broken release. + check-release: + runs-on: ubuntu-latest + steps: + # The `released` event can fire before the cli-release run has finished, + # so wait for it to complete. The action exits with failure if the waited + # workflow failed, which blocks the publish job below. + - name: Wait for cli-release to succeed for this tag + uses: int128/wait-for-workflows-action@v1.76.0 + with: + sha: ${{ github.sha }} + # cli-release is triggered by the tag push, not the release event. + filter-workflow-events: push + filter-workflow-names: cli-release + publish: runs-on: ubuntu-latest environment: release + needs: check-release steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1