dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

ci(cnb): use plain --force on main push, drop misleading --force-with-lease

Browse Source 
`--force-with-lease` without an explicit value uses
`refs/remotes/<remote>/main` as the lease ref. The CNB push remote
is added fresh inside each workflow run (`git remote add cnb …`)
without a prior fetch, so that lease ref never exists in the
runner's local clone. The lease check then misfires with
`! [rejected] HEAD -> main (stale info)` even when CNB is correctly
behind GitHub.

Plain `--force` is the right primitive here: the CNB mirror is
one-way by design, so there's no contributor work on the CNB side
to protect against. The lease safety would only matter in a
multi-writer scenario, which we explicitly don't run.

Confirmed via failing run 25714171752 (2026-05-12T04:53:13Z) where
all three retry attempts failed with the same stale-info error
even though CNB was simply behind GitHub by two scrub commits.
This commit is contained in:
Hunter Bown
2026-05-11 23:54:05 -05:00
parent eb451aefd7
commit c188cade88
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/sync-cnb.yml
+11 -5
View File
@@ -90,11 +90,17 @@ jobs:
TAG="${GITHUB_REF#refs/tags/}"
push_with_retry "tag ${TAG}" "refs/tags/${TAG}:refs/tags/${TAG}"
elif [[ "${GITHUB_REF}" == refs/heads/main ]]; then
# --force-with-lease so an unexpected diverged state on CNB
# surfaces as a failure (rather than silently overwriting).
# The mirror is one-way; if CNB diverges, that's a bug worth
# investigating manually before pushing again.
push_with_retry "main" HEAD:refs/heads/main --force-with-lease
# Plain --force. The CNB mirror is one-way by design —
# nothing else pushes to it, so there's no contributor work
# to protect against. `--force-with-lease` would be safer
# in a multi-writer scenario, but in our setup the lease
# check requires `refs/remotes/cnb/main` to exist in the
# runner's local clone, which it never does (we add `cnb`
# as a fresh remote in this step and don't fetch first).
# That made the lease check spuriously fail with
# `! [rejected] HEAD -> main (stale info)` even when CNB
# was actually behind GitHub.
push_with_retry "main" HEAD:refs/heads/main --force
else
# workflow_dispatch from a non-main branch — push that branch
# too, but never force. Useful for testing the mirror against