fix: guard git tag pipelines against SIGPIPE in gptchangelog (closes #388)

[bedatty]

GitHub Actions Shared Workflows

---

Description

Under the GitHub Actions default shell (bash --noprofile --norc -eo pipefail), a pipeline like git tag --sort=... | head -N fails with exit 141 (SIGPIPE) on repos with many tags: head closes the pipe after N lines, git tag receives SIGPIPE, and pipefail propagates 141, which set -e turns into a step failure. This broke the Generate Changelog job on every stable release in tag-heavy repos (observed on plugin-br-pix-indirect-btg, run linked below).

This PR appends || true to every unguarded git tag … | head … pipeline — the same pattern already used in src/config/release-tag-snapshot/action.yml:17 and src/config/changed-paths/action.yml:94,96. As a bonus it also fixes a latent set -e abort on the grep-filtered pipelines (grep returns 1 when no tag matches); downstream code already handles an empty result via [ -z "$TAG" ] guards, so behavior is preserved.

Affected workflow(s)/actions:

• src/changelog/gptchangelog/action.yml (lines 82, 167, 237) — the action consumed by release.yml via @v1
• .github/workflows/gptchangelog.yml (lines 83, 196, 332)
• src/config/release-tag-check/action.yml (line 27) — used by release.yml's release-detection path
• .github/workflows/helm-release-notification.yml (line 104)

Repo-wide sweep result: .github/workflows/dispatch-helm.yml:122 uses … | tail -1. tail reads the entire stream and never closes the pipe early, so it is not SIGPIPE-vulnerable and was intentionally left unchanged. No other unguarded git tag … | head/tail pipelines remain.

Type of Change

• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)

Breaking Changes

None.

Testing

• YAML syntax validated locally (yaml.safe_load on all 4 files)
• Triggered a real workflow run on a caller repository using @this-branch or the beta tag
• Verified all existing inputs still work with default values (no input/output/signature change — only || true appended)
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: failing run that motivated the fix — https://github.com/LerianStudio/plugin-br-pix-indirect-btg/actions/runs/26657889439/job/78572886408

Consumers that benefit

Any repo consuming release.yml with enable_changelog: true (and the gptchangelog / helm-release-notification workflows) on a repository with a large tag history — in particular every repo running a maintenance/patch line, which accumulates tags fastest. The gptchangelog action is pinned by consumers as @v1; on merge to main the update_major_tag job (enabled by self-release.yml) moves the floating v1 tag, so consumers pick up the fix automatically.

Related Issues

Closes #388

Summary by CodeRabbit

• Chores
  • Improved robustness of GitHub Actions workflows to handle edge cases with missing tags, preventing premature failures during release and changelog automation processes. These updates enhance workflow stability across repository build and release pipelines.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8f549ad6-570a-4069-8215-746f4d56310a

📥 Commits

Reviewing files that changed from the base of the PR and between 32d6885 and 137697d.

📒 Files selected for processing (4)

• .github/workflows/gptchangelog.yml
• .github/workflows/helm-release-notification.yml
• src/changelog/gptchangelog/action.yml
• src/config/release-tag-check/action.yml

---

Walkthrough

Four workflow/composite-action files now append || true to eight git tag query pipelines to prevent SIGPIPE exit-code 141 failures under pipefail mode when repositories have many tags or queries yield no results. Downstream logic already handles empty tag variables.

Changes

SIGPIPE Tolerance for Tag Queries

Layer / File(s)	Summary
GPT Changelog tag discovery pipelines .github/workflows/gptchangelog.yml, src/changelog/gptchangelog/action.yml	Recent stable tag discovery (line 83 and 82), per-app stable tag lookup during monorepo matrix build (line 196 and 167), and per-app latest stable tag lookup during changelog generation (line 332 and 237) now use || true to tolerate empty results.
Helm release notification tag resolution .github/workflows/helm-release-notification.yml	The LATEST_TAG resolution in the "Resolve release metadata" step (line 104) now appends || true to allow the subsequent explicit empty-tag check to run.
Release tag check semver detection src/config/release-tag-check/action.yml	The NEW_TAG assignment (line 27) now includes || true fallback so empty semver tag sets do not cause step failure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LerianStudio/github-actions-shared-workflows#364: Adds similar git tag detection in the "Resolve release metadata" flow of the helm-release-notification workflow.

Suggested labels

workflow, changelog, composite, size/XS

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly describes the primary fix: guarding git tag pipelines against SIGPIPE, directly matching the changeset's core objective of appending || true to prevent pipeline failures.
Description check	✅ Passed	Description covers root cause (SIGPIPE under pipefail), impact (changelog generation failures), solution (|| true guards), affected files with line numbers, testing performed, and related issue closure.
Linked Issues check	✅ Passed	All code changes in the PR directly address issue #388: appending || true to git tag pipelines in the four affected files (gptchangelog action, gptchangelog workflow, release-tag-check action, helm-release-notification workflow) to prevent SIGPIPE exit 141 failures.
Out of Scope Changes check	✅ Passed	All changes are narrowly scoped to issue #388: only git tag pipeline guards added. The PR explicitly notes dispatch-helm.yml line 122 uses tail (not vulnerable) and was intentionally left unchanged, confirming no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/guard-git-tag-sigpipe

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

⚠️ Invalid Source Branch

Pull requests to main can only come from:

• develop
• hotfix/*

Your source branch: fix/guard-git-tag-sigpipe

Please change the base branch or create a PR from an allowed branch.

[lerian-studio]

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

---

_{🔍 View workflow run}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	4 file(s)	✅ success
Action Lint	2 file(s)	✅ success
Pinned Actions	4 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	4 file(s)	✅ success
Shell Check	4 file(s)	✅ success
README Check	4 file(s)	✅ success
Composite Schema	2 file(s)	✅ success
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}