docs: record version resolution fix in do-release workflow

.gitea/workflows/do-release.yml

@@ -31,18 +31,46 @@ jobs:
       RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
       SUMMARY_FILE: ${{ runner.temp }}/do-release-summary.md
     steps:
-      - name: Checkout tagged revision
+      - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.ref }}
 
-      - name: Checkout requested tag
-        if: ${{ inputs.tag != '' }}
+      - name: Resolve release version
+        id: resolve-version
+        env:
+          REQUESTED_TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+
+          requested_tag="$(printf '%s' "${REQUESTED_TAG:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+          
+          if [[ -n "$requested_tag" ]]; then
+            # Explicit tag was provided
+            normalized="${requested_tag#v}"
+            tag="v${normalized}"
+          elif [[ "$GITHUB_REF" == refs/tags/* ]]; then
+            # Running from a tag push
+            tag="${GITHUB_REF#refs/tags/}"
+            normalized="${tag#v}"
+          elif tag_at_head="$(git describe --exact-match --tags HEAD 2>/dev/null)" && [[ -n "$tag_at_head" ]]; then
+            # Current HEAD is at a tag
+            tag="$tag_at_head"
+            normalized="${tag#v}"
+          else
+            echo "A release tag is required when the workflow is not running from a tag push" >&2
+            echo "Provide a tag via the 'tag' input or ensure HEAD is at a tagged commit." >&2
+            exit 1
+          fi
+
+          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+          echo "version=${normalized}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout release tag
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ startsWith(inputs.tag, 'v') && format('refs/tags/{0}', inputs.tag) || format('refs/tags/v{0}', inputs.tag) }}
+          ref: refs/tags/${{ steps.resolve-version.outputs.tag }}
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -54,7 +82,7 @@ jobs:
 
       - name: Preflight release API access
         env:
-          REQUESTED_TAG: ${{ inputs.tag }}
+          TAG_NAME: ${{ steps.resolve-version.outputs.tag }}
         run: |
           set -euo pipefail
 
@@ -76,14 +104,9 @@ jobs:
             -H "Content-Type: application/json" \
             "${repo_api}/releases?limit=1" >/dev/null
 
-          requested_tag="$(printf '%s' "${REQUESTED_TAG:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
-          if [[ -n "$requested_tag" ]]; then
-            normalized_tag="${requested_tag#v}"
-            tag_ref="refs/tags/v${normalized_tag}"
-            if ! git rev-parse --verify --quiet "$tag_ref" >/dev/null; then
-              echo "Requested tag ${tag_ref#refs/tags/} was not found in the checked out repository." >&2
-              exit 1
-            fi
+          if ! git rev-parse --verify --quiet "refs/tags/${TAG_NAME}" >/dev/null; then
+            echo "Tag ${TAG_NAME} was not found in the checked out repository." >&2
+            exit 1
           fi
 
       - name: Create or update release
@@ -91,7 +114,7 @@ jobs:
         uses: ./publish
         with:
           token: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
-          version: ${{ inputs.tag }}
+          version: ${{ steps.resolve-version.outputs.version }}
 
       - name: Build release binaries
         env:

CHANGELOG.md

@@ -35,8 +35,9 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 
 ### Fixed
 
-- Fixed `decorate-pr/action.yml` YAML validation by extracting PR comment rendering into `decorate-pr/build-comment.sh`, removing the duplicated changelog extraction step, and correcting the gate failure output reference.
-- Fixed docs-only detection in `decorate-pr` changelog gate: file list was iterated in a piped subshell so `docs_only` never propagated to the parent scope; replaced pipe with process substitution.
+- Fixed version resolution in `do-release` workflow by moving version calculation before checkout, resolving from inputs/git tags, and always passing explicit version to `publish` action.
+- Made `publish` action version resolution more robust with clearer error messages when version input is missing and workflow is not running from a tag push.
+- Fixed `do-release` workflow to always checkout the resolved release tag, eliminating conditional checkout logic that could skip the checkout when called from `prepare-release` workflow.
 - Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
 - Restored explicit gosec caching by storing a pinned `v2.22.4` binary under `${{ runner.temp }}/gosec-bin` with `actions/cache@v4`, so CI keeps fast security scans while still using the Go 1.26 toolchain from `setup-go`.
 - Replaced `securego/gosec` composite action with a direct `go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 && gosec ./...` run step so gosec uses the Go 1.26 toolchain installed by `setup-go` rather than the action's bundled Go 1.24 binary which ignores `GOTOOLCHAIN=auto`.

publish/action.yml

@@ -57,6 +57,7 @@ runs:
           normalized="${tag#v}"
         else
           echo "A version input is required when the workflow is not running from a tag push" >&2
+          echo "Provide version via input or ensure HEAD is at a tagged commit." >&2
           exit 1
         fi