From 4dd6c12e68810e321bc2f8b5db0b1756c5cefcc3 Mon Sep 17 00:00:00 2001 From: Piotr Mlocek Date: Fri, 6 Mar 2026 18:27:09 -0800 Subject: [PATCH 1/2] fix(ci): remove redundant tag fetches Standardize on actions/checkout with fetch-depth 0 for versioning data. This avoids manual git fetch calls that can fail in container jobs with dubious ownership while keeping tag discovery intact. --- .github/workflows/publish.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 288a61968..e9bb66ffa 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -138,9 +138,6 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Fetch tags - run: git fetch --tags --force - - name: Compute Python version id: version run: | @@ -273,9 +270,6 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Fetch tags - run: git fetch --tags --force - - name: Install tools run: mise install @@ -365,9 +359,6 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Fetch tags - run: git fetch --tags --force - - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin From 15f241bbb7222eb86a8105dfbb2ab249aba7c895 Mon Sep 17 00:00:00 2001 From: Piotr Mlocek Date: Fri, 6 Mar 2026 18:34:12 -0800 Subject: [PATCH 2/2] fix(ci): standardize safe tag fetches Keep explicit tag refreshes for versioning jobs, but always mark the GitHub workspace as safe first so container jobs do not fail with dubious ownership errors. --- .github/workflows/docker-build.yml | 3 +++ .github/workflows/publish.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index c7d3ca46e..3efcbca26 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -48,6 +48,9 @@ jobs: with: fetch-depth: 0 + - name: Mark workspace safe for git + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch tags run: git fetch --tags --force diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e9bb66ffa..67dffe587 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -74,6 +74,9 @@ jobs: with: fetch-depth: 0 + - name: Mark workspace safe for git + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch tags run: git fetch --tags --force @@ -138,6 +141,9 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch tags + run: git fetch --tags --force + - name: Compute Python version id: version run: | @@ -270,6 +276,9 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch tags + run: git fetch --tags --force + - name: Install tools run: mise install @@ -359,6 +368,9 @@ jobs: - name: Mark workspace safe for git run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch tags + run: git fetch --tags --force + - name: Log in to GHCR run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin