From 3ac50c1343ea714fedead8bb829e7433095dadd3 Mon Sep 17 00:00:00 2001 From: Fred Rivett Date: Thu, 2 Jul 2026 13:51:28 +0100 Subject: [PATCH] Guard release.sh against tagging the wrong commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit release.sh tagged whatever was checked out, so running it from a feature branch would silently tag the wrong commit. Before tagging, require a clean working tree, fetch, switch to main, and fast-forward to origin/main — failing loudly rather than switching over uncommitted work or force-updating over diverged state. Co-Authored-By: Claude Opus 4.8 (1M context) --- release.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/release.sh b/release.sh index 7c52520..e78089d 100755 --- a/release.sh +++ b/release.sh @@ -2,6 +2,15 @@ # Tag a new release and push to trigger the GitHub Actions release workflow set -e +# Releases are always cut from an up-to-date main. Guard against tagging the +# wrong commit: require a clean tree, then fast-forward main to origin. Fail +# loudly rather than switching over uncommitted work or force-updating over +# unexpected state. +[ -z "$(git status --porcelain)" ] || { echo "Working tree not clean — commit or stash first."; exit 1; } +git fetch origin --tags +git checkout main +git merge --ff-only origin/main || { echo "Local main can't fast-forward to origin/main — reconcile first."; exit 1; } + CURRENT=$(git tag --sort=-v:refname | grep '^v' | head -1) echo "Current version: ${CURRENT:-none}"