Priority: Medium
Description
Tags can be pushed from any commit. The release workflow (release.yml) builds binaries but never runs go vet, govulncheck, or go test. A bad tag pushed from an untested commit ships broken binaries.
CI runs on pushes to main and PRs, but there's no enforcement that a tag points to a commit that passed CI.
Suggested fix
Either:
- Gate the release job on CI passing for that SHA (e.g., require CI workflow to pass before release runs), or
- Add the vet/vulncheck/test steps directly to the release workflow
Priority: Medium
Description
Tags can be pushed from any commit. The release workflow (
release.yml) builds binaries but never runsgo vet,govulncheck, orgo test. A bad tag pushed from an untested commit ships broken binaries.CI runs on pushes to
mainand PRs, but there's no enforcement that a tag points to a commit that passed CI.Suggested fix
Either: