You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
auto-tag.yml cannot cut releases — both the version-bump push to main and the tag push are rejected by branch/tag protection. No automated release can currently be published, and v1.5.6 is stuck: __version__.py on main already says 1.5.6 (PR #544 merged) but no tag/release/PyPI publish exists (PyPI still 1.5.5).
Repro / evidence
Label a normal fix PR semver:patch (fix(report): explain how to synthesize a flat-saved result (#537) #543). On merge, auto-tag computes v1.5.6, commits the bump, and git push origin HEAD:main → GH013: Repository rule violations found for refs/heads/main (run 26918940207). The main branch ruleset forbids direct pushes (requires a PR); the github-actions[bot] identity isn't a bypass actor.
Pre-bump release PR (chore(release): bump to 1.5.6 #544, chore(release): bump to 1.5.6, semver:patch). On merge, auto-tag correctly hits "Version artifacts already at v1.5.6 … nothing to commit" (main push skipped ✅), then Create and push tag fails: GH013: Repository rule violations found for refs/tags/v1.5.6 — push declined (run 26920863167). So there's also a tag ruleset the bot can't bypass.
Root cause
The github-actions[bot] (default GITHUB_TOKEN identity) has no bypass on either the main branch ruleset or the v* tag ruleset. auto-tag.yml needs to push both a version-bump commit and a release tag, so every release attempt dies on GH013. RELEASING.md's documented "label any PR semver:patch and merge" flow therefore can't work as written.
Fixes
Durable (recommended): add the GitHub Actions identity as a bypass actor on the main branch ruleset and the v* tag ruleset (these are Terraform-managed in dataviking-infra). With main-push bypass, the documented auto-bump flow works directly; the tag-push bypass is required regardless.
Interim, to ship 1.5.6 now: an admin (who bypasses the rulesets) pushes the tag at current main (which already carries __version__.py = 1.5.6):
git tag v1.5.6 origin/main && git push origin v1.5.6
# or: gh release create v1.5.6 --target main --generate-notes --title v1.5.6
That tag push triggers publish.yml → PyPI.
Workflow hardening: auto-tag could fail fast with an actionable message when a push is rejected (it currently dies on an opaque GH013), and RELEASING.md should reflect whichever flow is supported.
Opening a Terraform PR in dataviking-infra proposing the bypass-actor change.
Summary
auto-tag.ymlcannot cut releases — both the version-bump push tomainand the tag push are rejected by branch/tag protection. No automated release can currently be published, andv1.5.6is stuck:__version__.pyonmainalready says1.5.6(PR #544 merged) but no tag/release/PyPI publish exists (PyPI still1.5.5).Repro / evidence
semver:patch(fix(report): explain how to synthesize a flat-saved result (#537) #543). On merge, auto-tag computesv1.5.6, commits the bump, andgit push origin HEAD:main→GH013: Repository rule violations found for refs/heads/main(run 26918940207). Themainbranch ruleset forbids direct pushes (requires a PR); thegithub-actions[bot]identity isn't a bypass actor.chore(release): bump to 1.5.6,semver:patch). On merge, auto-tag correctly hits "Version artifacts already at v1.5.6 … nothing to commit" (main push skipped ✅), thenCreate and push tagfails:GH013: Repository rule violations found for refs/tags/v1.5.6 — push declined(run 26920863167). So there's also a tag ruleset the bot can't bypass.Root cause
The
github-actions[bot](defaultGITHUB_TOKENidentity) has no bypass on either themainbranch ruleset or thev*tag ruleset.auto-tag.ymlneeds to push both a version-bump commit and a release tag, so every release attempt dies onGH013.RELEASING.md's documented "label any PRsemver:patchand merge" flow therefore can't work as written.Fixes
mainbranch ruleset and thev*tag ruleset (these are Terraform-managed indataviking-infra). With main-push bypass, the documented auto-bump flow works directly; the tag-push bypass is required regardless.main(which already carries__version__.py = 1.5.6):publish.yml→ PyPI.RELEASING.mdshould reflect whichever flow is supported.Opening a Terraform PR in
dataviking-infraproposing the bypass-actor change.