From fa871ffa67845b2886b02790b9899217f8ef1d15 Mon Sep 17 00:00:00 2001 From: "Babak K. Shandiz" Date: Tue, 6 Jan 2026 16:57:57 +0000 Subject: [PATCH 1/4] ci: tag per build job We need to tag the HEAD commit to make sure the right version is baked into the built binaries. See for more details: - https://github.com/cli/cli/issues/12263 Signed-off-by: Babak K. Shandiz --- .github/workflows/deployment.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 68b5237a537..4370eae3b63 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -56,6 +56,13 @@ jobs: # our scripts, which rely on the specific file names generated by GoReleaser. version: v2.13.1 install-only: true + # We temporarily create a tag on HEAD to make the right version embedded + # in the built binaries, BUT we don't push it to the remote. + - name: Tag + env: + TAG_NAME: ${{ inputs.tag_name }} + run: | + git tag "$TAG_NAME" - name: Build release binaries env: TAG_NAME: ${{ inputs.tag_name }} @@ -111,6 +118,13 @@ jobs: # our scripts, which rely on the specific file names generated by GoReleaser. version: v2.13.1 install-only: true + # We temporarily create a tag on HEAD to make the right version embedded + # in the built binaries, BUT we don't push it to the remote. + - name: Tag + env: + TAG_NAME: ${{ inputs.tag_name }} + run: | + git tag "$TAG_NAME" - name: Build release binaries env: TAG_NAME: ${{ inputs.tag_name }} @@ -187,6 +201,13 @@ jobs: Endpoint = "https://wus3.codesigning.azure.net/" } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH + # We temporarily create a tag on HEAD to make the right version embedded + # in the built binaries, BUT we don't push it to the remote. + - name: Tag + env: + TAG_NAME: ${{ inputs.tag_name }} + run: | + git tag "$TAG_NAME" # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet From d02341d5a35051262e5d280579cead9f711ca830 Mon Sep 17 00:00:00 2001 From: "Babak K. Shandiz" Date: Tue, 6 Jan 2026 17:02:54 +0000 Subject: [PATCH 2/4] ci: improve step name Signed-off-by: Babak K. Shandiz --- .github/workflows/deployment.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 4370eae3b63..6ebe07cc76e 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -58,7 +58,7 @@ jobs: install-only: true # We temporarily create a tag on HEAD to make the right version embedded # in the built binaries, BUT we don't push it to the remote. - - name: Tag + - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} run: | @@ -120,7 +120,7 @@ jobs: install-only: true # We temporarily create a tag on HEAD to make the right version embedded # in the built binaries, BUT we don't push it to the remote. - - name: Tag + - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} run: | @@ -203,7 +203,7 @@ jobs: # We temporarily create a tag on HEAD to make the right version embedded # in the built binaries, BUT we don't push it to the remote. - - name: Tag + - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} run: | From f47a230eda42db0f98206480fb885f8d9ffa8344 Mon Sep 17 00:00:00 2001 From: "Babak K. Shandiz" Date: Tue, 6 Jan 2026 17:04:02 +0000 Subject: [PATCH 3/4] ci: shorten `run` block Signed-off-by: Babak K. Shandiz --- .github/workflows/deployment.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 6ebe07cc76e..92ed391109f 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -61,8 +61,7 @@ jobs: - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} - run: | - git tag "$TAG_NAME" + run: git tag "$TAG_NAME" - name: Build release binaries env: TAG_NAME: ${{ inputs.tag_name }} @@ -123,8 +122,7 @@ jobs: - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} - run: | - git tag "$TAG_NAME" + run: git tag "$TAG_NAME" - name: Build release binaries env: TAG_NAME: ${{ inputs.tag_name }} @@ -206,8 +204,7 @@ jobs: - name: Create temporary tag env: TAG_NAME: ${{ inputs.tag_name }} - run: | - git tag "$TAG_NAME" + run: git tag "$TAG_NAME" # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet From 1d76eae5aa8d076e6fbd49858a2480c119a8d7df Mon Sep 17 00:00:00 2001 From: Kynan Ware <47394200+BagToad@users.noreply.github.com> Date: Tue, 6 Jan 2026 10:37:12 -0700 Subject: [PATCH 4/4] Add shell specification for temporary tag creation --- .github/workflows/deployment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 92ed391109f..b3bcd0702b5 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -202,6 +202,7 @@ jobs: # We temporarily create a tag on HEAD to make the right version embedded # in the built binaries, BUT we don't push it to the remote. - name: Create temporary tag + shell: bash env: TAG_NAME: ${{ inputs.tag_name }} run: git tag "$TAG_NAME"