Skip to content

ci: Add a workflow to undo/yank a release, if necessary#512

Closed
vishal-bala wants to merge 2 commits intomainfrom
ci/undo-release-workflow
Closed

ci: Add a workflow to undo/yank a release, if necessary#512
vishal-bala wants to merge 2 commits intomainfrom
ci/undo-release-workflow

Conversation

@vishal-bala
Copy link
Collaborator

@vishal-bala vishal-bala commented Feb 27, 2026

Since we are moving to more automated releases, it makes sense (like in the case of 0.14.1) to have the option to undo a release that was incorrectly created. This should not be done lightly, but as a last resort.

A workflow is one option for this, but possibly not the best (due to permissioning).


Note

Medium Risk
Medium risk because it adds a privileged workflow that can delete GitHub releases/tags and yank packages from PyPI; misconfiguration or misuse could remove published artifacts. Changes are isolated to CI/release automation and lockfile metadata.

Overview
Adds a new manually-triggered Undo Release GitHub Actions workflow (release-undo.yml) that validates a typed confirmation/version, then can optionally delete the GitHub release, delete the remote git tag, and yank redisvl==<version> on PyPI using stored credentials.

Updates release-new.yml to read the GitHub App app-id from vars.RELEASE_BOT_APP_ID instead of a hardcoded value, and bumps uv.lock metadata (including redisvl to 0.14.1).

Written by Cursor Bugbot for commit e426d20. This will update automatically on new commits. Configure here.

@vishal-bala vishal-bala self-assigned this Feb 27, 2026
@vishal-bala vishal-bala added the auto:ci Updates to CI/CD workflows and processes label Feb 27, 2026
@jit-ci
Copy link

jit-ci bot commented Feb 27, 2026

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR


Security scan by Jit

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

run: |
set -euo pipefail
python -m pip install --upgrade pip twine
twine yank "${SPEC}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

twine yank is not a valid twine subcommand

High Severity

twine yank is not a valid subcommand. The twine CLI (latest version 6.1.0) only supports upload, check, and register subcommands. Running twine yank "${SPEC}" will fail with an unrecognized command error. PyPI yanking is currently only available through the PyPI web interface or by calling the PyPI API directly (e.g., via curl).

Fix in Cursor Fix in Web

owner: ${{ github.repository_owner }}

- name: Checkout repository
if: ${{ inputs.delete_git_tag }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release deletion silently fails without repo checkout context

Medium Severity

The checkout step is conditional on inputs.delete_git_tag, but the gh release view/gh release delete commands also depend on having a repo context. When delete_github_release is true but delete_git_tag is false, no checkout occurs, and gh cannot determine the base repository. Because the gh release view error is suppressed by >/dev/null 2>&1, the step silently falls through to the else branch printing "No GitHub release found," even though the release exists. The checkout condition needs to also account for delete_github_release, or the gh commands need an explicit --repo flag.

Additional Locations (1)

Fix in Cursor Fix in Web

@vishal-bala
Copy link
Collaborator Author

This approach doesn't feel like the most reliable way to go about this, and also on closer inspection, there doesn't seem to be an established programmatic way to yank a release. Ditching this for now in favour of keeping the process fairly manual.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto:ci Updates to CI/CD workflows and processes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant