From ab664d5a874e4951cec7687f2550573829e1a0ca Mon Sep 17 00:00:00 2001
From: Nathan Randall <data-douser@github.com>
Date: Mon, 23 Feb 2026 19:16:43 -0700
Subject: [PATCH] fix release-tag workflow for release tag on main

The release-tag workflow checks out a commit (not a branch), leaving
git in detached HEAD state.  `git push origin HEAD` fails because git
cannot resolve the bare `HEAD` symbolic ref to a remote branch name.

Create a temporary local branch before committing and use an explicit
refspec (`tmp/release-vX.Y.Z:refs/heads/main`) so the push is an
unambiguous fast-forward to main.
---
 .github/workflows/release-tag.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index de530fe4..18e6d441 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -141,6 +141,12 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
+          # workflow_call checkouts may leave us in detached HEAD when the
+          # caller is triggered from a tag ref. Create a temporary local
+          # branch so that `git commit` works and we can push to main.
+          TEMP_BRANCH="tmp/release-${TAG}"
+          git checkout -B "${TEMP_BRANCH}"
+
           # Stage version-bearing files and lockfile changes
           git add -A
           # Ensure CodeQL-generated artifacts are not staged for commit
@@ -154,7 +160,7 @@ jobs:
           else
             git commit -m "Release ${TAG}: update versions to ${RELEASE_NAME}"
             CURRENT_SHA=$(git rev-parse HEAD)
-            git push origin HEAD
+            git push origin "${TEMP_BRANCH}:refs/heads/main"
             echo "✅ Committed version changes at ${CURRENT_SHA:0:8}"
           fi