ci(release): pin softprops target_commitish to the release commit

[bpamiri]

Summary

Prevents the off-main stable tag from recurring every cut where main has diverged from develop.

softprops/action-gh-release defaults target_commitish to the repo default branch (develop) when unset — so the v4.0.2 stable tag was created on develop's HEAD (59ff240e3, off-main) instead of the released commit, and had to be force-moved manually post-release (#2819). This pins target_commitish: ${{ github.sha }} on the stable Create GitHub Release step so the tag always lands on the exact commit that was built.

Stable step only — the snapshot step (Create Snapshot Pre-Release) publishes to wheels-dev/wheels-snapshots via repository:, where a wheels-repo SHA wouldn't resolve, so it's intentionally left untouched.

Test plan

• release.yml valid YAML; target_commitish present once (stable step only)
• Verified on the next stable cut: v4.0.3 tag lands on main HEAD with no manual move

🤖 Generated with Claude Code

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: Targeted one-line CI fix that pins the softprops/action-gh-release tag to the exact released commit on main, preventing a recurrence of the off-main tag placement that required a manual force-move after v4.0.2 (#2819). The change is correct, narrowly scoped, and well-documented. Approve.

Correctness

The root cause is accurately diagnosed: softprops/action-gh-release uses the repo's default branch as target_commitish when the parameter is omitted, and this repo's default branch is develop, not main. Adding target_commitish: ${{ github.sha }} to the stable step pins the tag to the commit that actually triggered the workflow — the right fix.

A few correctness points confirmed:

• The stable step guard is already present. The step has if: github.ref == 'refs/heads/main', so github.sha will always be a commit on main when this step runs. This holds for both the push and workflow_dispatch triggers.
• Snapshot step left untouched — correctly. The snapshot step publishes to wheels-dev/wheels-snapshots via repository:; a SHA from wheels-dev/wheels would not resolve in a foreign repo, so omitting target_commitish there is the right call. The inline comment at lines 457–460 documents this asymmetry explicitly.
• with: | block syntax. The Wandalen/wretry.action consumes forwarded inputs as a literal string that GitHub Actions interpolates before passing to softprops. All existing parameters (tag_name, name, body_path, etc.) already follow this pattern, so the new entry fits cleanly.

No edge cases left unaddressed: the tag does not pre-exist (it is created by this step), and overwrite_files: true covers idempotent re-runs.

Commits

Single commit ci(release): pin softprops target_commitish to the release commit.

• Type ci is in the valid-types allowlist.
• Scope release is unrestricted per commitlint.config.js.
• Header is 60 characters, well under the 100-char limit.
• Body explains the why (v4.0.2 incident, develop as default branch) and the deliberate scope boundary (snapshot exclusion).
• DCO Signed-off-by: Peter Amiri <peter@alurium.com> present.

Tests / Docs

No CFML code changed — cross-engine checks, test coverage requirements, and .ai/wheels/ doc updates do not apply here. The PR checklist item for verifying on the next stable cut is appropriately deferred; there is no practical way to pre-verify CI release mechanics in isolation.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is clean. The fix is a single-line CI change pinning target_commitish to github.sha on the stable release step, and A correctly traced the root cause, validated the guard condition, and justified the snapshot exclusion. No issues with the critique; aligned on approve.

Sycophancy

None detected. A cites concrete reasoning for the approval: the if: github.ref == 'refs/heads/main' guard ensures github.sha is always a main commit, the snapshot step correctly omits target_commitish because cross-repo SHAs don't resolve, and the with: | block pattern is consistent with the existing parameters in the same block.

False positives

None detected. I re-read the diff against A's claims:

• github.sha always on main: the guard is existing config, not in the diff, so A is relying on context. Reasonable inference for a release workflow where the step is already gated to refs/heads/main.
• Snapshot step omission justified: correct — repository: points to a foreign repo; a SHA from wheels-dev/wheels would not resolve there.
• with: | interpolation: ${{ }} expressions are evaluated by the Actions runner before the action runs, so ${{ github.sha }} will be the resolved SHA by the time Wandalen/wretry.action receives the string. Consistent with how ${{ env.WHEELS_VERSION }} already works in the same block.
• DCO sign-off: human-authored commit; the sign-off trailer is on the PR author's commit, which is correct for a contributor PR.

Missed issues

None detected. This is a CI-only change with no CFML code, no test surface, and no .ai/wheels/ docs to update. The one thing A cited without the diff visible — the overwrite_files: true idempotency note — is a minor aside about existing config and does not affect correctness of the change itself.

Verdict alignment

A's APPROVED verdict is consistent with the findings: a narrowly-scoped, clearly-correct one-liner fix to a documented bug with no side effects.

Convergence

Aligned. A's review is accurate and complete; there are no false positives, no missed issues, and the approve verdict is correct. The PR is review-clean for this SHA.