fix: harden release-guard workflow and prevent race condition#4776
Closed
bryanbeverly wants to merge 7 commits intotrufflesecurity:mainfrom
Closed
fix: harden release-guard workflow and prevent race condition#4776bryanbeverly wants to merge 7 commits intotrufflesecurity:mainfrom
bryanbeverly wants to merge 7 commits intotrufflesecurity:mainfrom
Conversation
The `gh` CLI commands fail with "fatal: not a git repository" because the workflow never checks out the repo and gh cannot infer the repository context. Setting GH_REPO avoids the need for a checkout step. Fixes the failure in: https://github.com/trufflesecurity/trufflehog/actions/runs/22491672284 Made-with: Cursor
Use an intermediate environment variable for github.ref_name instead of interpolating it directly into the shell command. Made-with: Cursor
Check the Release workflow run status before deciding to unset latest. If the pipeline completed successfully for this tag, the latest flag was set intentionally and the guard should not undo it. This prevents a race where a delayed guard run could revert a legitimate release. Also passes event context through env vars and adds actions:read permission for gh run list. Made-with: Cursor
bryanbeverly
changed the title
sysread
reviewed
Feb 27, 2026
Addresses review feedback from sysread — the TAG variable was just an alias for RELEASE_TAG, adding confusion without benefit. Made-with: Cursor
Contributor
Author
|
Closed, replaced by #4838 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release-guard.ymlworkflow'sunset-latestjob fails because theghCLI cannot infer the repository — there is noactions/checkoutstep and noGH_REPOenv var, soghfalls back to looking for a local.gitdirectory which doesn't exist.GH_REPO: ${{ github.repository }}to the step's environment soghknows which repo to target without needing a checkout.release.yml, the "Mark release as latest" step now passesgithub.ref_namethrough an env var instead of interpolating it directly into the shell command.actions: readpermission so the guard can query workflow run status.release.tag_name) is also passed through an env var for consistency.Failed run: https://github.com/trufflesecurity/trufflehog/actions/runs/22491672284
Test plan
Note
Medium Risk
Changes release automation logic and GitHub Actions permissions; mistakes could incorrectly mark/unmark a release as
latestor block releases.Overview
Prevents the
release-guardworkflow from incorrectly undoing a legitimatelatestrelease by first checking whether therelease.ymlworkflow run for the tag already succeeded, and skipping the guard in that case.Hardens
ghCLI usage by explicitly settingGH_REPO/RELEASE_TAGenv vars (no checkout required) and addingactions: readpermission so the guard can query workflow runs;release.ymlalso switches to passing the tag viaTAGenv var when marking the release aslatest.Written by Cursor Bugbot for commit c685900. This will update automatically on new commits. Configure here.