Verify tag commit is reachable from master before release

[nanotaboada]

Summary

Add a runtime verification step to the CD workflow (.github/workflows/maven-cd.yml) that checks whether the tag's commit is reachable from master before proceeding with build and publish steps. This ensures the CD pipeline does not trigger on an unmerged commit if a tag is accidentally pushed from a release branch before the PR is merged.

Motivation

The CD workflow currently triggers on any tag matching v*.*.*-* with no safeguard that the tag points to a commit contained in master. The Pre-Release Checklist enforces process discipline (merge before tagging), but a runtime guard in the workflow would provide an additional safety net.

Proposed Approach

Add a step named "Verify tag commit is reachable from master" to the existing release job, placed immediately after Checkout repository. A separate job is not warranted here — the checkout already uses fetch-depth: 0 so full git history is available, and the check is lightweight enough that spinning up a second runner would be unnecessary overhead.

The step should verify that ${{ github.sha }} is reachable from refs/heads/master using either:

• git branch -r --contains ${{ github.sha }} and checking for origin/master in the output, or
• The GitHub API to confirm the commit is an ancestor of refs/heads/master

The job should fail with a clear error message if the check does not pass.

Acceptance Criteria

• Workflow fails early with a descriptive error if the tag commit is not reachable from master
• No regressions on valid release tags pushed from a merged commit
• Step is placed before any build, test, or publish steps

[coderabbitai]

🔗 Related PRs

#161 - chore(ci): improve Java CI workflow [merged]
#166 - fix(ci): missing checkout step on coverage job [merged]
#287 - ci(release): implement named releases with tag-based deployment (#252) [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

✅ Successfully generated implementation plan.

💡 Use @coderabbitai <feedback> to replan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[coderabbitai]

Coding Plan

Summary

• Add a single bash step after checkout in the release job that verifies ${{ github.sha }} is reachable from origin/master
• Leverage the existing fetch-depth: 0 checkout configuration which provides full git history
• Use git branch -r --contains to check branch ancestry, matching the workflow's established pattern of git-based validations
• Fail early with a clear error message before any build, test, or publish steps execute

Design Choices

Design Choice 1: Which approach should be used to verify commit reachability?

Options Considered:

1. Use git branch -r --contains ${{ github.sha }} and check for origin/master in output — simple, uses existing git history, no additional authentication needed
2. Use GitHub API to confirm the commit is an ancestor of refs/heads/master — requires API call and token handling, more complex setup

Chosen Option: 1

Rationale: The git-based approach is simpler, aligns with existing patterns in the workflow (changelog generation uses git commands), and the full git history is already available via fetch-depth: 0.

💡 User Tips

Regenerate the plan with different choices with @coderabbitai <feedback>.

Implementation Steps

Add Commit Reachability Verification

Add a lightweight verification step to the release job that fails early if the tagged commit is not reachable from the master branch, preventing accidental releases from unmerged branches.

Add verification step to release job

Insert a new step in .github/workflows/maven-cd.yml immediately after the "Checkout repository" step (before the tag validation step) in the release job.

• Add a step named "Verify tag commit is reachable from master" using a bash script
• Fetch remote branch information with git fetch origin master to ensure origin/master ref is current
• Use git branch -r --contains ${{ github.sha }} to list remote branches containing the tagged commit
• Check if origin/master appears in the output; if not, print a descriptive error message explaining that the tag commit must be merged to master before release, then exit with non-zero status
• Follow the existing bash script pattern in the workflow: use run: | with appropriate error handling

🤖 Prompt for AI agents

Add a new step to the `release` job in `.github/workflows/maven-cd.yml` that
verifies the tagged commit is reachable from `origin/master` before any build,
test, or publish steps execute.

- Insert the new step immediately after the "Checkout repository" step and
before the tag validation step in the `release` job
- Name the step "Verify tag commit is reachable from master"
- Implement using a `run: |` bash block, consistent with existing bash script
patterns in the workflow
- Within the script:
- Run `git fetch origin master` to ensure the `origin/master` ref is up to date
- Run `git branch -r --contains ${{ github.sha }}` to list all remote branches
containing the tagged commit
  - Check whether `origin/master` appears in the command output
- If `origin/master` is NOT found, print a descriptive error message explaining
the tag commit must be merged to master before release, then exit with a
non-zero status code

Research

The project uses GitHub Actions for CI/CD with two main workflows: maven-ci.yml for pull request validation and maven-cd.yml for releases. The CD workflow triggers on tags matching v*.*.*-* and contains two jobs: test (runs Maven verify) and release (builds/pushes Docker image and creates GitHub Release). The release job already uses fetch-depth: 0 for full git history access (needed for changelog generation) and includes bash-based validation steps as an established pattern.

---

🚀 Next Steps

🤖 All AI agent prompts combined

Add a new step to the `release` job in `.github/workflows/maven-cd.yml` that
verifies the tagged commit is reachable from `origin/master` before any build,
test, or publish steps execute.

- Insert the new step immediately after the "Checkout repository" step and
before the tag validation step in the `release` job
- Name the step "Verify tag commit is reachable from master"
- Implement using a `run: |` bash block, consistent with existing bash script
patterns in the workflow
- Within the script:
- Run `git fetch origin master` to ensure the `origin/master` ref is up to date
- Run `git branch -r --contains ${{ github.sha }}` to list all remote branches
containing the tagged commit
  - Check whether `origin/master` appears in the command output
- If `origin/master` is NOT found, print a descriptive error message explaining
the tag commit must be merged to master before release, then exit with a
non-zero status code

💡 Iterate on the plan with: @coderabbitai <feedback>

Example Feedback
- `@coderabbitai` You can skip phase 3. Add a simple unit test case for phase 2.
- `@coderabbitai` For design choice 1 go ahead with option 3 and replan.

---

💬 Have feedback or questions? Drop into our discord!