fix(release): detect published release via git tag when backmerge plugin fails

[bedatty]

GitHub Actions Shared Workflows

---

Description

When the @saithodev/semantic-release-backmerge plugin fails (e.g., non-fast-forward push to develop), the cycjimmy/semantic-release-action exits with failure and does not set the new_release_published output — even though the release was successfully published.

This caused the backmerge PR fallback step to be skipped and the job to fail with a misleading error: "Semantic release failed before publishing a new version".

Fix: Added a new step that detects whether a release was actually published by checking if a recent git tag (< 5 min old) exists on the current branch. The backmerge fallback and fail conditions now use this detection as an alternative signal, ensuring the fallback PR is created when the backmerge plugin fails after a successful release.

Affected workflow: release.yml (reusable)

Triggered by: https://github.com/LerianStudio/github-actions-shared-workflows/actions/runs/23607221651/job/68753204358

Type of Change

• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: https://github.com/LerianStudio/github-actions-shared-workflows/actions/runs/23607221651/job/68753204358 (the failing run that triggered this fix)

Related Issues

N/A

Summary by CodeRabbit

• Chores
  • Improved CI release detection and fallback logic to avoid false failures, correctly recognize published releases after failed attempts, and enable automatic backmerge when a release is detected.
• New Features
  • Added a tag snapshot-and-check mechanism to verify whether a new release tag was created during release runs.
• Documentation
  • Added README docs describing the snapshot/check workflow and usage examples.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Adds two composite actions (release-tag-snapshot, release-tag-check) and updates the release workflow to snapshot the latest v* tag before semantic-release, re-check tags on semantic-release failure to detect published releases, and use detected tag info for backmerge and final-fail decisions.

Changes

Cohort / File(s)	Summary
Release workflow /.github/workflows/release.yml	Pins several GitHub Actions to commit SHAs; adds a “Snapshot tags before release” step; adds a post-failure Detect if release was published step that compares tags to the snapshot and exposes release_published / release_version; updates conditions and inputs for backmerge and final-fail steps to consider detection output.
Release tag check action src/config/release-tag-check/action.yml, src/config/release-tag-check/README.md	New composite action release-tag-check that takes previous-tag, fetches tags, determines latest v* tag, outputs release-published (boolean) and release-version (without v); README documents inputs, outputs, usage examples and required permissions.
Release tag snapshot action src/config/release-tag-snapshot/action.yml, src/config/release-tag-snapshot/README.md	New composite action release-tag-snapshot that fetches remote tags, selects highest semver v* tag, outputs latest-tag (or none); README documents usage and permissions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly reflects the main change: fixing release detection when the backmerge plugin fails by using git tags as an alternative signal.
Description check	✅ Passed	Description covers the problem statement, root cause, solution, affected workflow, testing validation, and includes a real failing run reference. Follows template structure with Type of Change and Breaking Changes sections completed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-backmerge-fallback-detection

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	3 file(s)	✅ success
Action Lint	1 file(s)	✅ success
Pinned Actions	3 file(s)	✅ success
Markdown Link Check	2 file(s)	✅ success
Spelling Check	5 file(s)	✅ success
Shell Check	3 file(s)	✅ success
README Check	3 file(s)	✅ success
Composite Schema	2 file(s)	✅ success

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

106-106: 🧹 Nitpick | 🔵 Trivial

Pre-existing: Third-party actions not SHA-pinned.

These actions (actions/create-github-app-token@v2, actions/checkout@v6, crazy-max/ghaction-import-gpg@v7, actions/setup-node@v6, cycjimmy/semantic-release-action@v6) are pinned by tag, not commit SHA. Per coding guidelines, third-party actions outside LerianStudio org must be pinned by SHA with a # vX.Y.Z comment.

Not introduced by this PR, but flagging for awareness. Consider addressing in a follow-up.

Also applies to: 113-113, 124-124, 136-136, 151-151

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 106, The workflow currently references
third-party actions by tag (e.g., actions/create-github-app-token@v2,
actions/checkout@v6, crazy-max/ghaction-import-gpg@v7, actions/setup-node@v6,
cycjimmy/semantic-release-action@v6); replace each tag reference with the
corresponding commit SHA (pin to a full commit hash) and add a trailing comment
with the version (e.g., "# v2.0.0") as per guidelines, ensuring you update the
uses: entries for those actions to the SHA form and include the "# vX.Y.Z"
comment for each referenced action name to satisfy the org policy.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 174: The LATEST_TAG assignment uses "git tag --sort=-v:refname" which can
surface non-semver tags; change the LATEST_TAG logic to only consider
semantic-style tags by filtering tags (e.g., those prefixed with "v") before
sorting — replace the current git tag invocation used to set LATEST_TAG so it
lists only "v*" tags and then sorts by version (maintain the -v:refname sort and
the head selection) to ensure non-semver tags like "beta" or
"release-candidate-1" are excluded.
- Around line 177-182: The check uses TAG_DATE computed from the commit
(TAG_COMMIT) which is wrong for lightweight tags; change the logic so TAG_DATE
is derived from the tag ref creation time (reflog) or from the workflow run
timestamp instead of the commit timestamp: query the tag ref reflog for
refs/tags/"$LATEST_TAG" to get its reflog creation epoch (use that value as
TAG_DATE) or fall back to GitHub Actions provided run time (e.g.,
GITHUB_RUN_CREATED_AT or the workflow run timestamp) and then compute DIFF = NOW
- TAG_DATE; update references to TAG_DATE, TAG_COMMIT and DIFF accordingly so
the 5-minute check uses tag creation time rather than the commit author time.

---

Outside diff comments:
In @.github/workflows/release.yml:
- Line 106: The workflow currently references third-party actions by tag (e.g.,
actions/create-github-app-token@v2, actions/checkout@v6,
crazy-max/ghaction-import-gpg@v7, actions/setup-node@v6,
cycjimmy/semantic-release-action@v6); replace each tag reference with the
corresponding commit SHA (pin to a full commit hash) and add a trailing comment
with the version (e.g., "# v2.0.0") as per guidelines, ensuring you update the
uses: entries for those actions to the SHA form and include the "# vX.Y.Z"
comment for each referenced action name to satisfy the org policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9f86cde4-4b90-48a7-a86e-c4c3382d5052

📥 Commits

Reviewing files that changed from the base of the PR and between 8a2aa8c and bafc671.

📒 Files selected for processing (1)

• .github/workflows/release.yml

All comments addressed — SHA pinning applied in a4ba6ea, tag detection refactored in 53cd232.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 179-190: The workflow interpolates step output directly into the
shell run block (using PRE_TAG="${{ steps.pre-tags.outputs.latest_tag }}"),
which risks command injection; change to pass the output via an env: variable
and reference it inside the run script (e.g., set env PRE_TAG from
steps.pre-tags.outputs.latest_tag and use PRE_TAG within the run script),
ensuring NEW_TAG, PRE_TAG, VERSION and writing to GITHUB_OUTPUT remain the same
but without direct GitHub Actions expression interpolation inside the shell
code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 45ddbc50-5e31-4a0c-9265-962cc788ae55

📥 Commits

Reviewing files that changed from the base of the PR and between a4ba6ea and 53cd232.

📒 Files selected for processing (1)

• .github/workflows/release.yml