`--force-with-lease` without an explicit value uses
`refs/remotes/<remote>/main` as the lease ref. The CNB push remote
is added fresh inside each workflow run (`git remote add cnb …`)
without a prior fetch, so that lease ref never exists in the
runner's local clone. The lease check then misfires with
`! [rejected] HEAD -> main (stale info)` even when CNB is correctly
behind GitHub.
Plain `--force` is the right primitive here: the CNB mirror is
one-way by design, so there's no contributor work on the CNB side
to protect against. The lease safety would only matter in a
multi-writer scenario, which we explicitly don't run.
Confirmed via failing run 25714171752 (2026-05-12T04:53:13Z) where
all three retry attempts failed with the same stale-info error
even though CNB was simply behind GitHub by two scrub commits.
Closes the persistent "fatal: could not read Username for 'https://cnb.cool'"
failure that bit about half of recent sync-cnb runs.
Root causes from the failure log of run 25705666413 (2026-05-12) and
25697452832 (2026-05-11):
1. The previous tencentcom/git-sync Docker action discovered every
local ref via fetch-depth: 0 and tried to push them all —
including dependabot/* branches that GitHub had locally. Those
follow-on pushes ran without the configured credential helper
in scope and failed with the basic-auth prompt error above.
2. No concurrency guard meant the back-to-back `main` push and
`v*` tag push that auto-tag.yml fires within ~15s of each other
raced. Two workflow runs would attempt to push to the same
CNB remote simultaneously; one would lose.
Rewrite:
* Hand-rolled `git push` with the CNB token URL-encoded inline so
the credential is always in scope. No Docker action dependency.
* `concurrency: group: cnb-sync, cancel-in-progress: false` so
queued runs serialize cleanly rather than racing or dropping.
* Only push the ref that triggered the run — `main` on branch
push (with --force-with-lease for safety), the specific tag on
tag push. Feature branches and dependabot refs no longer
mirror.
* 3-attempt retry with linear backoff (5s, 10s) for transient
failures (CNB rate-limit, DNS blips, etc.).
* `workflow_dispatch: {}` trigger so the maintainer can re-run
against a specific ref manually if the automated run fails.
Adds docs/CNB_MIRROR.md with: the verification steps after a
release, the manual fallback procedure (one-time `git remote add cnb`,
then `git push cnb vX.Y.Z`), the token-rotation procedure, and a
note on why binary release assets aren't on CNB today.
Cross-links from docs/RELEASE_RUNBOOK.md so the verify-after-release
step doesn't get forgotten.
- Add explicit permissions: contents: read (least-privilege)
- Bump actions/checkout@v3 → @v4
- Narrow trigger from on: [push] to on: push: branches: [main] + tags: ['v*']
Matches the hardening convention used by every other workflow in the repo.
Hunter Bown