checkout overwrites tags with lightweight tags #882

Adam- · 2022-08-07T14:34:52Z

When running checkout with fetch-depth: 0 on a tag ref, checkout clobbers the fetched tag by replacing it with its own lightweight tag.

The cause of this is testRef is comparing a tag-object with a commit-object. git rev-parse on a non-lightweight tag ref returns the tag object and not the commit object:

  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
    return (
      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
    )
  }

After this test fails, checkout then performs a 2nd fetch of the commit which results in a lightweight tag being created, overwriting the original tag.

This breaks git describe and other things.

Build log:

$ git cat-file -t 64c28bc66b5420d8bfb158088b830fc6cdb02815
tag
$ git cat-file -p 64c28bc66b5420d8bfb158088b830fc6cdb02815
object 4583104281ae74cb64a04aa28615c062752f1d64
type commit
tag R2
tagger James Carroll <[email protected]> 1659879755 +0100

Test

$ git cat-file -t 4583104281ae74cb64a04aa28615c062752f1d64
commit
$ git cat-file -p 4583104281ae74cb64a04aa28615c062752f1d64
tree 0f020f42f0099856c28e138234f6cb22130bde36
parent 483c83b4723c31e32a6722985f16a840742c99b3
author James Carroll <[email protected]> 1659879639 +0100
committer James Carroll <[email protected]> 1659879727 +0100

Test fetch without force

 /usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*
...
   * [new branch]      main       -> origin/main
   * [new tag]         R1         -> R1
   * [new tag]         R2         -> R2
  /usr/bin/git tag --list R2
  R2
  /usr/bin/git rev-parse refs/tags/R2
  64c28bc66b5420d8bfb158088b830fc6cdb02815
  /usr/bin/git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules origin +4583104281ae74cb64a04aa28615c062752f1d64:refs/tags/R2
  From https://github.com/MrCarroll/runelite-snap
   t [tag update]      4583104281ae74cb64a04aa28615c062752f1d64 -> R2

The text was updated successfully, but these errors were encountered:

ihostage · 2022-08-30T16:42:27Z

It's really very unexpected behaviour 🤔
Moreover, this issue initiates other problem with using some tools that depends on type of tags (JGitVer for example).

And for cutting a release I must use workaround and re-fetch all tags manually 😞

- name: Checkout
  uses: actions/checkout@v3
  with:
    # we don't know what commit the last tag was
    fetch-depth: 0
- run: git fetch --tags --force origin # WA: https://github.com/actions/checkout/issues/882

actions/checkout#882 (comment)

Simonl9l · 2022-11-05T23:36:48Z

not sure if anyone is monitoring this...any and all help appreciated!

I added the work around but if I do a repo.Tags.CountI() I still get zero!

the is what I see in the log:

Run git fetch --tags --force origin
  git fetch --tags --force origin
  shell: /usr/bin/bash -e {0}

I note when the workflow is retrieve the repo it runs:

 /usr/bin/git -c protocol.version=2 fetch --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*

It seem I'm running checkout@2 as that is what Nuke.build is currently using.

Follow-up to #32337 this removes the un-necessary step where we fetch all of the tags which requires pulling a lot of un-necessary git history inflating cache size and publish times. The only reason these tags were needing to be fetched is due to an issue in how the `actions/checkout` step works (actions/checkout#882). This reduces the publish times by at least 4 minutes by removing the tags fetching step https://github.com/vercel/next.js/actions/runs/3598569786/jobs/6061449995#step:16:14 As a further optimization this adds concurrency to the `npm publish` calls themselves to hopefully reduce time spent there as well.

In commit b7fa3a5 of PR git-lfs#5236 we replaced the deprecated actions/setup-ruby@v1 GitHub Action in our CI and release workflows with the current ruby/setup-ruby@v1 Action. We now update our other Actions to their respective latest versions as well: actions/checkout: v1 -> v3 actions/download-artifact: v1 -> v3 actions/setup-go: v2 -> v3 actions/upload-artifact: v1 -> v3 docker/setup-qemu-action: v1 -> v2 As of v2 of the actions/download-artifact Action, downloaded assets are not placed in a new subdirectory created with the name from the step's "name" argument, but in the current working directory instead. We want to retain the previous behaviour so we add a "path" argument with the same name as each of the macos-assets and windows-assets download steps. By default, the actions/checkout Action (as of v2) performs a Git fetch with a --depth=1 option, so a shallow clone is made. As a result, when our Makefile calls "git describe HEAD" to set its VERSION variable, no tags are available and Git responds with an error message. Many of our workflow jobs succeed despite logging that error, including the build-docker and build-docker-cross jobs in both our CI and Release workflows. (The Docker builds create upload artifacts with the correct filenames despite the lack of any tags because they rely on the Git LFS version strings in our debian/changelog file and in our binary; the rpm/build_rpms.bsh script builds a binary just to run "git-lfs version" and determine the version string from its output.) However, our workflow jobs which run the "make release" command fail outright in the absence of any Git tags, as they search for build artifacts using filenames constructed with the empty VERSION variable, such as "git-lfs-windows-amd64-.zip". When no files are found, the tar command fails, halting the job. This affects both the build-default job in our CI workflow (for Linux and macOS), and all of build-main, build-macos, and build-windows jobs in our Release workflow. To resolve this in the case of a PR or other push to a branch, we set a fetch-depth value of 0 for our actions/checkout@v3 steps, which downloads the full Git history and all tags. This is somewhat more expensive than a shallow clone, but our project's history is not excessively large. Due to the GitHub Actions bug documented in actions/checkout#882, though, this resolution is insufficient in the case of a push to a tag. At present, the actions/checkout@v3 incorrectly determines the SHA of an annotated tag to be the SHA of its associated commit, and then proceeds as if the tag had been updated on the server since the Action was started, and so rewrites the tag locally to refer to the commit SHA. This has the effect of making the local tag into a lightweight tag, which "git describe" then ignores (since we don't pass the --tags option to it). As a temporary fix for this problem, we add a step after the actions/checkout@v3 step which updates the local tag again to match the remote one. We only run this step when the pushed reference was a tag, because on a branch push it would fail as Git would refuse to update the currently checked-out branch. In our Release workflow, since it only runs on pushes to tags, we can run this step unconditionally. (We could also continue to use the default fetch-depth of 1 for the actions/checkout@v3 step, since we always subsequently fetch the relevant tag, but to be consistent and to avoid future issues once actions/checkout#882 is fixed upstream, we do not do so.)

chrisd8088 · 2022-12-30T07:45:15Z

We've run into this as well when upgrading our workflows for the Git LFS project. Our proposed workaround at present is to run the following:

    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
      if: ${{ github.ref_type == 'tag' }}
      shell: bash

That seems to be enough to reverse the tag update made by mistake which overwrites the annotated tag and turns it into a lightweight one.

In commit b7fa3a5 of PR git-lfs#5236 we replaced the deprecated actions/setup-ruby@v1 GitHub Action in our CI and release workflows with the current ruby/setup-ruby@v1 Action. We now update our other Actions to their respective latest versions as well: actions/checkout: v1 -> v3 actions/download-artifact: v1 -> v3 actions/setup-go: v2 -> v3 actions/upload-artifact: v1 -> v3 docker/setup-qemu-action: v1 -> v2 As of v2 of the actions/download-artifact Action, downloaded assets are not placed in a new subdirectory created with the name from the step's "name" argument, but in the current working directory instead. We want to retain the previous behaviour so we add a "path" argument with the same name as each of the macos-assets and windows-assets download steps. By default, the actions/checkout Action (as of v2) performs a Git fetch with a --depth=1 option, so a shallow clone is made. As a result, when our Makefile calls "git describe HEAD" to set its VERSION variable, no tags are available and Git responds with an error message. Many of our workflow jobs succeed despite logging that error, including the build-docker and build-docker-cross jobs in both our CI and Release workflows. (The Docker builds create upload artifacts with the correct filenames despite the lack of any tags because they rely on the Git LFS version strings in our debian/changelog file and in our binary; the rpm/build_rpms.bsh script builds a binary just to run "git-lfs version" and determine the version string from its output.) However, our workflow jobs which run the "make release" command fail outright in the absence of any Git tags, as they search for build artifacts using filenames constructed with the empty VERSION variable, such as "git-lfs-windows-amd64-.zip". When no files are found, the tar command fails, halting the job. This affects both the build-default job in our CI workflow (for Linux and macOS), and all of build-main, build-macos, and build-windows jobs in our Release workflow. To resolve this in the case of a PR or other push to a branch, we set a fetch-depth value of 0 for our actions/checkout@v3 steps, which downloads the full Git history and all tags. This is somewhat more expensive than a shallow clone, but our project's history is not excessively large. Due to the GitHub Actions bug documented in actions/checkout#882, though, this resolution is insufficient in the case of a push to a tag. At present, the actions/checkout@v3 incorrectly determines the SHA of an annotated tag to be the SHA of its associated commit, and then proceeds as if the tag had been updated on the server since the Action was started, and so rewrites the tag locally to refer to the commit SHA. This has the effect of making the local tag into a lightweight tag, which "git describe" then ignores (since we don't pass the --tags option to it). As a temporary fix for this problem, we add a step after the actions/checkout@v3 step which updates the local tag again to match the remote one. We only run this step when the pushed reference was a tag, because on a branch push it would fail as Git would refuse to update the currently checked-out branch. In our Release workflow, since it only runs on pushes to tags, we can run this step unconditionally. (We could also continue to use the default fetch-depth of 1 for the actions/checkout@v3 step, since we always subsequently fetch the relevant tag, but to be consistent and to avoid future issues once actions/checkout#882 is fixed upstream, we do not do so.)

actions/checkout#290 actions/checkout#882

a9a6e9e and ea43df2 removed a step that was probably intended to work around actions/checkout#290 and actions/checkout#882, but broke the CI build if anyone used a lightweight tag (because these fetch lines actually shallow the tag depth to 1). This commit attempts to thread the needle by making this workaround conditional only to releases, where (if the person doing the release has followed the steps correctly), there is guaranteed to be an annotated tag at depth 1 in the tag history. (If I'm parsing the checkout bugs correctly, they only trigger on a tag action anyways.)

a9a6e9e and ea43df2 removed a step that was probably intended to work around actions/checkout#290 and actions/checkout#882, but broke the CI build if anyone used a lightweight tag (because these fetch lines actually shallow the tag depth to 1). This commit attempts to thread the needle by making this workaround conditional only to releases, where (if the person doing the release has followed the steps correctly), there is guaranteed to be an annotated tag at depth 1 in the tag history. (If I'm parsing the checkout bugs correctly, they only trigger on a tag action anyways.) (cherry picked from commit 8713efd)

This also adds a workaround for actions/checkout#882 where the new tag get blasted away with a new, lightweight tag for the duration of the run. Signed-off-by: Hank Donnay <[email protected]>

Create binaries on push, tag creation and when a release has been published. Create an archive with the binary, and attach it to the release if a release is published. In all cases, attach the archive in the workflow run as an artifact. The actions/checkout@v3 action overwrites annonated tag with lightweight tags breaking ``git describe``. See [1], [2]. This commit adds a workaround to restore the latest tag to it's original state. References: - [1] actions/checkout#882 - [2] actions/checkout#290

rinnnn · 2023-08-07T13:03:44Z

For me the annotated tag appears as lightweight even when I checkout without the fetch-depth: 0 restriction. Workarounds suggested above work fine.

Create binaries on push, tag creation and when a release has been published. Create an archive with the binary, and attach it to the release if a release is published. In all cases, attach the archive in the workflow run as an artifact. The actions/checkout@v3 action overwrites annonated tag with lightweight tags breaking ``git describe``. See [1], [2]. This commit adds a workaround to restore the latest tag to it's original state. References: - [1] actions/checkout#882 - [2] actions/checkout#290

DJViking · 2023-11-27T22:01:38Z

A full workday wasted to investigate why Jgitver did not work in GitHub Actions.
Then I found this issue. The problem was filed here over a year ago. Why has it not yet been fixed?

Thankfully a workaround exist.
I am currently using this in my workflow

    run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*

But this is a hack, and it clutters the workflow.

Workaround for actions/checkout#882

actions/checkout#882

walles · 2024-02-29T05:52:44Z

Related to #290, possibly a duplicate?

Add workaround for #95, caused by a bug in the checkout action (github.com/actions/checkout/issues/882).

xenoterracide · 2024-06-06T17:50:28Z

I found this workaround elsewhere, probably lighter weight than other workarounds. This behavior is still not acceptable though.

      - uses: actions/checkout@v4
        with:
          ref: ${{ github.ref }}

actions/runner-images#1717

elringus · 2024-07-27T16:04:21Z

Adding fetch-tags: true resolved the issue for me, eg:

- uses: actions/checkout@v4
  with:
    fetch-depth: 0
    fetch-tags: true

juped mentioned this issue Aug 21, 2022

Fix release pipeline anoma/namada#363

Merged

ihostage mentioned this issue Aug 30, 2022

Unable to get release build from GitHub Actions. jgitver/jgitver#149

Closed

na-- mentioned this issue Sep 8, 2022

ci: VERSION_DETAILS does not contain the latest tag grafana/k6#2676

Closed

tzemanovic mentioned this issue Oct 18, 2022

release build wrong tag anoma/namada#627

Closed

tzemanovic added a commit to anoma/namada that referenced this issue Oct 18, 2022

CI: add workaround for release build missing git tag

5bc4aca

actions/checkout#882 (comment)

tzemanovic mentioned this issue Oct 18, 2022

CI: add workaround for release build missing git tag anoma/namada#628

Merged

Simonl9l mentioned this issue Nov 5, 2022

Update versions of generated GitHub Actions tasks nuke-build/nuke#1031

Merged

3 tasks

ijjk mentioned this issue Dec 2, 2022

Apply publish step optimizations vercel/next.js#43620

Merged

sethmlarson added a commit to sethmlarson/secure-python-package-template that referenced this issue Dec 11, 2022

Try working around actions/checkout#882

3eef53c

Julow mentioned this issue Dec 13, 2022

Fix --version not returning the version tarides/ocaml-platform-installer#147

Merged

chrisd8088 mentioned this issue Dec 30, 2022

Upgrade workflows to latest Ubuntu and Actions versions git-lfs/git-lfs#5243

Merged

thejpster mentioned this issue Jan 7, 2023

Github gets the tag wrong Neotron-Compute/Neotron-Pico-BIOS#28

Closed

Pesa added a commit to named-data/actions that referenced this issue Feb 7, 2023

Workaround actions/checkout bug

dd3e57e

actions/checkout#290 actions/checkout#882

robertxgray mentioned this issue May 12, 2023

Wrong release versions crawl/crawl#3128

Closed

rawlins mentioned this issue Jun 1, 2023

build: workaround for an actions/checkout bug crawl/crawl#3155

Merged

hdonnay mentioned this issue Jul 27, 2023

cmd: version for old gits quay/clair#1833

Merged

rebornplusplus mentioned this issue Jul 31, 2023

chore: create and attach binaries on tag, release canonical/chisel#91

Merged

1 task

guregu mentioned this issue Aug 7, 2023

Fix version number for Windows build trealla-prolog/trealla#301

Merged

kpushkaryov added a commit to plesk/ubuntu18to20 that referenced this issue Dec 20, 2023

Explicitly fetch tags after checkout

1857ba6

Workaround for actions/checkout#882

walles added a commit to walles/px that referenced this issue Feb 29, 2024

Link to upstream issue

e1669ab

actions/checkout#882

This was referenced Apr 15, 2024

Check git describe behavior during docs deployment juanep97/iop4#97

Closed

Fix release title in docs deployment to GitHub pages juanep97/iop4#98

Merged

juanep97 added a commit to juanep97/iop4 that referenced this issue Apr 15, 2024

Fix release title in docs deployment to GitHub pages (#98)

e54a414

Add workaround for #95, caused by a bug in the checkout action (github.com/actions/checkout/issues/882).

kian99 mentioned this issue May 21, 2024

Release tag workflow fixes canonical/jimm#1215

Merged

3 tasks

xenoterracide mentioned this issue Jun 11, 2024

dependency-submission triggered by tag on default branch does not update dependency results for repository gradle/actions#242

Open

miki725 mentioned this issue Jun 14, 2024

annotatated/signed tags are misreported as regular tags crashappsec/chalk#345

Closed

migoox mentioned this issue Nov 11, 2024

[SDF-70] Fix checkout action gizmokis/resin#11

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

checkout overwrites tags with lightweight tags #882

checkout overwrites tags with lightweight tags #882

Adam- commented Aug 7, 2022

ihostage commented Aug 30, 2022 •

edited

Loading

Simonl9l commented Nov 5, 2022

chrisd8088 commented Dec 30, 2022

rinnnn commented Aug 7, 2023

DJViking commented Nov 27, 2023 •

edited

Loading

walles commented Feb 29, 2024

xenoterracide commented Jun 6, 2024

elringus commented Jul 27, 2024

checkout overwrites tags with lightweight tags #882

checkout overwrites tags with lightweight tags #882

Comments

Adam- commented Aug 7, 2022

ihostage commented Aug 30, 2022 • edited Loading

Simonl9l commented Nov 5, 2022

chrisd8088 commented Dec 30, 2022

rinnnn commented Aug 7, 2023

DJViking commented Nov 27, 2023 • edited Loading

walles commented Feb 29, 2024

xenoterracide commented Jun 6, 2024

elringus commented Jul 27, 2024

ihostage commented Aug 30, 2022 •

edited

Loading

DJViking commented Nov 27, 2023 •

edited

Loading