|
100 | 100 | jobs: |
101 | 101 | tag-and-release: |
102 | 102 | runs-on: ubuntu-latest |
103 | | - concurrency: tag-and-release # prevent any possible race conditions |
| 103 | + concurrency: # prevent any possible race conditions |
| 104 | + group: ${{ github.workflow }}:${{ github.repository }}:${{ github.ref }} # branch-specific |
| 105 | + cancel-in-progress: true |
104 | 106 | steps: |
105 | 107 | - name: Validate inputs |
106 | 108 | run: | |
@@ -134,22 +136,45 @@ jobs: |
134 | 136 | fi |
135 | 137 | fi |
136 | 138 |
|
| 139 | + # CHECKOUT #1 — EXACT EVENT SHA (full git history for validation) |
137 | 140 | - uses: actions/checkout@v4 |
138 | 141 | with: |
139 | 142 | fetch-depth: 0 # required to see tags and commits |
140 | | - ref: ${{ github.ref }} # dont lock to sha (action needs to push) |
141 | | - token: ${{ secrets.TOKEN || github.token }} |
142 | | - |
| 143 | + ref: ${{ github.sha }} # lock to triggered commit (github.ref is dynamic) |
| 144 | + - name: Was this triggered by a branch push? |
| 145 | + run: | |
| 146 | + set -euo pipefail; echo "now: $(date -u +"%Y-%m-%dT%H:%M:%S.%3N")" |
| 147 | + if [[ ! "${{ github.ref }}" =~ ^refs/heads/ ]]; then |
| 148 | + echo "::error::This workflow only supports branch pushes (got ref='${{ github.ref }}')." |
| 149 | + exit 1 |
| 150 | + else |
| 151 | + echo "OK: Running on branch ${{ github.ref_name }}" |
| 152 | + exit 0 |
| 153 | + fi |
143 | 154 | - name: Is this most recent commit? |
144 | 155 | run: | |
145 | 156 | set -euo pipefail; echo "now: $(date -u +"%Y-%m-%dT%H:%M:%S.%3N")" |
146 | 157 |
|
147 | | - git fetch &> /dev/null |
148 | | - if [[ $(git status -sb | grep behind) ]]; then |
149 | | - echo "::error::This commit is not most recent on this branch -- rest of workflow will be skipped" |
| 158 | + # Fetch just the branch tip from origin |
| 159 | + git fetch --no-tags origin "${{ github.ref_name }}" --depth=1 |
| 160 | + tip_sha="$(git rev-parse "origin/${{ github.ref_name }}")" |
| 161 | +
|
| 162 | + # Require the workflow's commit to be the current branch tip |
| 163 | + if [[ "${tip_sha}" != "${{ github.sha }}" ]]; then |
| 164 | + echo "::error::This run's commit ${{ github.sha }} is not the tip of ${{ github.ref_name }} (tip is ${tip_sha:0:7}). Skipping." |
150 | 165 | exit 1 |
| 166 | + else |
| 167 | + echo "OK: ${{ github.sha }} is the current tip of ${{ github.ref_name }}." |
| 168 | + exit 0 |
151 | 169 | fi |
152 | 170 |
|
| 171 | + # CHECKOUT #2 — BRANCH REF (for tag/push/release operations) |
| 172 | + - uses: actions/checkout@v4 |
| 173 | + with: |
| 174 | + fetch-depth: 0 # required to see tags and commits |
| 175 | + ref: ${{ github.ref }} # dont lock to sha (action needs to push) |
| 176 | + token: ${{ secrets.TOKEN || github.token }} |
| 177 | + |
153 | 178 | # PYTHON ONLY: setup python |
154 | 179 | - if: inputs.project-type == 'python' |
155 | 180 | uses: actions/setup-python@v5 # needed for building Python project |
|
0 commit comments