ci: require explicit tag input for cuda-pathfinder release workflow (#1668)

* ci: require existing cuda-pathfinder tag in release workflow

Use a single explicit tag input for releases and validate both format and branch reachability before proceeding. This prevents the workflow from creating new tags and ensures releases are tied to pre-existing refs.

Co-authored-by: Cursor <cursoragent@cursor.com>

* ci: simplify cuda-pathfinder release tag handling

Resolve the release input directly as an explicit tag ref in checkout and require gh release creation to verify that tag exists. This removes redundant git validation plumbing while still preventing the workflow from creating tags implicitly.

Co-authored-by: Cursor <cursoragent@cursor.com>

* ci: remove manual tag format check in pathfinder release workflow

Rely on checkout of the explicit tag ref and gh release --verify-tag for existence checks, reducing workflow-specific validation logic while preserving no-tag-creation behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: cpcloud

.github/workflows/release-cuda-pathfinder.yml

@@ -4,8 +4,8 @@
 
 # One-click release workflow for cuda-pathfinder.
 #
-# Provide a version number and commit SHA.  The workflow automatically finds
-# the CI run and creates the git tag, creates a draft GitHub release with the standard
+# Provide a release tag. The workflow finds
+# the CI run, creates a draft GitHub release with the standard
 # body, builds versioned docs, uploads source archive + wheels to the
 # release, publishes to TestPyPI, verifies the install, publishes to PyPI,
 # verifies again, and finally marks the release as published.
@@ -15,12 +15,8 @@ name: "Release: cuda-pathfinder"
 on:
   workflow_dispatch:
     inputs:
-      version:
-        description: "Version to release (e.g. 1.3.5)"
-        required: true
-        type: string
-      commit:
-        description: "Commit SHA to release (must be on default branch)"
+      tag:
+        description: "Release tag to publish (e.g. cuda-pathfinder-v1.3.5)"
         required: true
         type: string
 
@@ -34,7 +30,7 @@ defaults:
 
 jobs:
   # --------------------------------------------------------------------------
-  # Validate inputs, find the CI run, create the tag + draft release.
+  # Collect release metadata, find the CI run, create a draft release.
   # --------------------------------------------------------------------------
   prepare:
     runs-on: ubuntu-latest
@@ -53,52 +49,22 @@ jobs:
             exit 1
           fi
 
-      - name: Validate version
+      - name: Set release variables
         id: vars
         env:
-          VERSION_INPUT: ${{ inputs.version }}
+          TAG_INPUT: ${{ inputs.tag }}
         run: |
-          # Strip leading "v" if present (common typo)
-          version="${VERSION_INPUT#v}"
-          if [[ ! "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "::error::Version must be MAJOR.MINOR.PATCH, got: ${version}"
-            exit 1
-          fi
-          tag="cuda-pathfinder-v${version}"
+          version="${TAG_INPUT#cuda-pathfinder-v}"
           {
-            echo "tag=${tag}"
+            echo "tag=${TAG_INPUT}"
             echo "version=${version}"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Validate commit input format
-        env:
-          COMMIT_INPUT: ${{ inputs.commit }}
-        run: |
-          # Require a full SHA to avoid ambiguity and accidental releases.
-          if [[ ! "${COMMIT_INPUT}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "::error::Commit must be a full 40-character SHA, got: ${COMMIT_INPUT}"
-            exit 1
-          fi
-
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
-          ref: ${{ inputs.commit }}
-
-      - name: Validate and resolve commit
-        id: commit
-        env:
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-        run: |
-          git fetch --no-tags origin "${DEFAULT_BRANCH}"
-          commit=$(git rev-parse --verify "HEAD^{commit}")
-
-          if ! git merge-base --is-ancestor "${commit}" "origin/${DEFAULT_BRANCH}"; then
-            echo "::error::Commit ${commit} is not reachable from origin/${DEFAULT_BRANCH}"
-            exit 1
-          fi
-
-          echo "commit=${commit}" >> "$GITHUB_OUTPUT"
+          # Resolve only the exact tag ref; checkout fails if the tag does not exist.
+          ref: refs/tags/${{ steps.vars.outputs.tag }}
 
       - name: Check release notes exist
         env:
@@ -117,22 +83,6 @@ jobs:
           ctk_ver=$(yq '.cuda.build.version' ci/versions.yml)
           echo "ctk-ver=${ctk_ver}" >> "$GITHUB_OUTPUT"
 
-      - name: Create tag
-        env:
-          TAG: ${{ steps.vars.outputs.tag }}
-          TARGET_COMMIT: ${{ steps.commit.outputs.commit }}
-        run: |
-          if git rev-parse "${TAG}" >/dev/null 2>&1; then
-            existing_commit=$(git rev-parse "${TAG}^{commit}")
-            if [[ "${existing_commit}" != "${TARGET_COMMIT}" ]]; then
-              echo "::error::Tag ${TAG} already exists at ${existing_commit}, expected ${TARGET_COMMIT}"
-              exit 1
-            fi
-          else
-            git tag "${TAG}" "${TARGET_COMMIT}"
-            git push origin "${TAG}"
-          fi
-
       - name: Detect CI run ID
         id: detect-run
         env:
@@ -179,6 +129,7 @@ jobs:
             --repo "${{ github.repository }}" \
             --draft \
             --latest=false \
+            --verify-tag \
             --title "cuda-pathfinder v${VERSION}" \
             --notes-file /tmp/release-body.md