Avoid triggering zizmor ref-confusion

taiki-e · taiki-e · commit 93ea0b33c357 · 2026-03-09T00:28:28.000+09:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+- Avoid triggering [zizmor ref-confusion](https://docs.zizmor.sh/audits/#ref-confusion) when using this action in form of `uses: taiki-e/install-action@v2` or `uses: taiki-e/install-action@<tool_name>`.
+
 ## [2.68.23] - 2026-03-08
 
 - Update `zizmor@latest` to 1.23.0.
diff --git a/tools/publish.sh b/tools/publish.sh
@@ -121,9 +121,9 @@ retry git push origin refs/heads/main
 retry git push origin refs/tags/"${tag}"
 
 major_version_tag="v${version%%.*}"
-git branch "${major_version_tag}"
+git branch "releases/${major_version_tag}"
 git tag -f "${major_version_tag}"
-refs=("refs/heads/${major_version_tag}" "+refs/tags/${major_version_tag}")
+refs=("refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}")
 
 tools=()
 for tool in tools/codegen/base/*.json; do
@@ -142,20 +142,22 @@ tools+=(
 # Non-manifest-based tools.
 tools+=(valgrind)
 
+branches=()
 for tool in "${tools[@]}"; do
-  git checkout -b "${tool}"
+  git checkout -b "releases/${tool}"
   sed -E "${in_place[@]}" action.yml \
     -e "s/required: true/required: false/g" \
     -e "s/# default: #publish:tool/default: ${tool}/g"
   git add action.yml
   git commit -m "${tool}"
   git tag -f "${tool}"
   git checkout main
-  refs+=("+refs/heads/${tool}" "+refs/tags/${tool}")
+  refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}")
+  branches+=("releases/${tool}")
 done
 retry git push origin --atomic "${refs[@]}"
-git branch -d "${major_version_tag}"
-git branch -D "${tools[@]}"
+git branch -d "releases/${major_version_tag}"
+git branch -D "${branches[@]}"
 
 schema_workspace=/tmp/workspace
 rm -rf -- "${schema_workspace}"
