fix(release): detect published release via git tag when backmerge (#176)

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

---

• fix(release): detect published release via git tag when backmerge plugin fails

• fix(release): pin external actions by commit SHA

• fix(release): use tag snapshot comparison instead of timestamp heuristic

• refactor(release): extract tag detection into release-tag-snapshot and release-tag-check composites

Summary by CodeRabbit

• New Features

  • Added automatic detection of successfully published releases, enabling graceful recovery when downstream release steps fail.

• Chores

  • Pinned third-party GitHub Actions to specific commit SHAs for improved security and consistency.
  • Enhanced release workflow robustness with pre-release tag snapshots and post-release verification mechanisms.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

Adds two new composite GitHub Actions for detecting releases when semantic-release fails, and pins GitHub Actions in the workflow by commit SHA for supply chain security. The snapshot action captures the latest semver tag before release; the check action detects whether a new tag was created afterward.

Changes

Cohort / File(s)	Summary
Release Workflow Updates .github/workflows/release.yml	Pinned 5 GitHub Actions by commit SHA (create-github-app-token, checkout, ghaction-import-gpg, setup-node, semantic-release-action). Added pre-tags step to snapshot current tags. Added detect-release step that runs on semantic-release failure to check if a release was published. Updated backmerge and failure conditions to use release detection outputs as fallback.
Release Tag Snapshot Action src/config/release-tag-snapshot/action.yml, src/config/release-tag-snapshot/README.md	New composite action that fetches remote tags and outputs the latest semver tag matching v*, or none if no tags exist. Documentation explains pairing with release-tag-check for failure recovery.
Release Tag Check Action src/config/release-tag-check/action.yml, src/config/release-tag-check/README.md	New composite action that compares current latest v* tag against a previous snapshot to detect new releases. Outputs release-published boolean and extracted release-version. Documentation shows conditional execution on release step failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• LerianStudio/github-actions-shared-workflows#176: Makes identical code-level changes to .github/workflows/release.yml, including release-tag-snapshot/detect-release steps and pinned actions.

Suggested labels

workflow, size/S

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description includes type of change checkbox (fix), completes testing checklist items, and lists commit messages detailing implementation. However, the Description section itself is empty—no summary of what the PR does or why is provided.	Add a detailed Description section explaining the problem (timestamp-based detection failure), the solution (tag snapshot comparison), affected workflows, and behavior changes. Link to the caller repo/workflow run that validated this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly identifies the main change: detecting published releases via git tag when backmerge fails. It is specific, concise, and directly reflects the changeset's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	3 file(s)	✅ success
Action Lint	1 file(s)	✅ success
Pinned Actions	3 file(s)	✅ success
Markdown Link Check	2 file(s)	✅ success
Spelling Check	5 file(s)	✅ success
Shell Check	3 file(s)	✅ success
README Check	3 file(s)	✅ success
Composite Schema	2 file(s)	✅ success

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}