From c188cade881bb1ffc6218c64d78cd132a676168d Mon Sep 17 00:00:00 2001
From: Hunter Bown <hmbown@gmail.com>
Date: Mon, 11 May 2026 23:54:05 -0500
Subject: [PATCH] ci(cnb): use plain --force on main push, drop misleading
 --force-with-lease
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`--force-with-lease` without an explicit value uses
`refs/remotes/<remote>/main` as the lease ref. The CNB push remote
is added fresh inside each workflow run (`git remote add cnb …`)
without a prior fetch, so that lease ref never exists in the
runner's local clone. The lease check then misfires with
`! [rejected] HEAD -> main (stale info)` even when CNB is correctly
behind GitHub.

Plain `--force` is the right primitive here: the CNB mirror is
one-way by design, so there's no contributor work on the CNB side
to protect against. The lease safety would only matter in a
multi-writer scenario, which we explicitly don't run.

Confirmed via failing run 25714171752 (2026-05-12T04:53:13Z) where
all three retry attempts failed with the same stale-info error
even though CNB was simply behind GitHub by two scrub commits.
---
 .github/workflows/sync-cnb.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/sync-cnb.yml b/.github/workflows/sync-cnb.yml
index 6e0f976b..f8f6be62 100644
--- a/.github/workflows/sync-cnb.yml
+++ b/.github/workflows/sync-cnb.yml
@@ -90,11 +90,17 @@ jobs:
             TAG="${GITHUB_REF#refs/tags/}"
             push_with_retry "tag ${TAG}" "refs/tags/${TAG}:refs/tags/${TAG}"
           elif [[ "${GITHUB_REF}" == refs/heads/main ]]; then
-            # --force-with-lease so an unexpected diverged state on CNB
-            # surfaces as a failure (rather than silently overwriting).
-            # The mirror is one-way; if CNB diverges, that's a bug worth
-            # investigating manually before pushing again.
-            push_with_retry "main" HEAD:refs/heads/main --force-with-lease
+            # Plain --force. The CNB mirror is one-way by design —
+            # nothing else pushes to it, so there's no contributor work
+            # to protect against. `--force-with-lease` would be safer
+            # in a multi-writer scenario, but in our setup the lease
+            # check requires `refs/remotes/cnb/main` to exist in the
+            # runner's local clone, which it never does (we add `cnb`
+            # as a fresh remote in this step and don't fetch first).
+            # That made the lease check spuriously fail with
+            # `! [rejected] HEAD -> main (stale info)` even when CNB
+            # was actually behind GitHub.
+            push_with_retry "main" HEAD:refs/heads/main --force
           else
             # workflow_dispatch from a non-main branch — push that branch
             # too, but never force. Useful for testing the mirror against