[HDX] Fix duplicate git tag push in release workflow

[wrn14897]

Why

The Release workflow's Check Changesets job failed on the Create Release Pull Request or Publish to npm step, which gates every downstream job (Docker app/local/all-in-one/otel-collector builds, CLI binary release, downstream notifications).

Failed run: https://github.com/hyperdxio/hyperdx/actions/runs/26666123898/job/78599749256

The npm publish of @hyperdx/cli@0.5.0 actually succeeded, but the job still exited non-zero on the subsequent git tag push:

[command]/usr/bin/git push origin @hyperdx/cli@0.5.0
[command]/usr/bin/git push origin @hyperdx/cli@0.5.0      ← pushed twice
 * [new tag]         @hyperdx/cli@0.5.0 -> @hyperdx/cli@0.5.0
 ! [remote rejected] @hyperdx/cli@0.5.0 -> @hyperdx/cli@0.5.0 (cannot lock ref 'refs/tags/@hyperdx/cli@0.5.0': reference already exists)
error: failed to push some refs to 'https://github.com/hyperdxio/hyperdx'
##[error]Error: The process '/usr/bin/git' failed with exit code 1

Root cause

The release script was:

"release": "npx changeset tag && npx changeset publish"

• changeset tag creates git tags for all packages (including the 4 private ones that are never published to npm).
• changeset publish then publishes to npm and also creates a git tag for each package it publishes.

When a publishable package (@hyperdx/cli) is published for the first time in a run, both commands create its tag. The changesets GitHub Action then pushes each queued tag individually, so @hyperdx/cli@0.5.0 got pushed twice. The first push succeeds; the second is rejected with reference already exists, and git exits 1 — failing the whole job.

(The 4 private packages only get tagged once, by changeset tag, so they never collide. Only the freshly-published public package double-pushes.)

Fix

"release": "npx changeset publish --no-git-tag && npx changeset tag"

changeset publish --no-git-tag handles npm only and no longer creates git tags. changeset tag becomes the single source of truth for git tags across all packages (public and private), so each tag is created and pushed exactly once. This preserves the existing behavior of tagging every package while eliminating the duplicate push.

--no-git-tag is supported by the pinned @changesets/cli@2.26.2.

Note on the affected release

The blocked 2.28.0 / cli@0.5.0 release was unblocked out-of-band by deleting the stale git tags and the leftover changeset-generated GitHub Releases and re-running the workflow; that release has since completed. This PR only prevents the failure from recurring on future first-time package publishes.

Testing

• make ci-lint (formatting/lint)
• Verified changeset publish --no-git-tag is a valid flag in @changesets/cli@2.26.2.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 54510bb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hyperdx-oss	Ignored		May 29, 2026 11:08pm
hyperdx-storybook	Ignored		May 29, 2026 11:08pm

[github-actions]

🔵 Tier 2 — Low Risk

Small, isolated change with no API route or data model modifications.

Why this tier:

• Standard feature/fix — introduces new logic or modifies core functionality

Review process: AI review + quick human skim (target: 5–15 min). Reviewer validates AI assessment and checks for domain-specific concerns.
SLA: Resolve within 4 business hours.

Stats

• Production files changed: 1
• Production lines changed: 2
• Branch: warren/fix-release-duplicate-tag-push
• Author: wrn14897

To override this classification, remove the review/tier-2 label and apply a different review/tier-* label. Manual overrides are preserved on subsequent pushes.

[github-actions]

Deep Review

✅ No critical issues found.

The diff is a single-line change to the release script in package.json:53 that reorders changeset publish and changeset tag and adds --no-git-tag to the publish step. The change is minimal, well-scoped, and the --no-git-tag flag is supported by the pinned @changesets/cli@2.26.2 (resolved in yarn.lock). The changesets/action@v1 step in .github/workflows/release.yml:49 discovers tags by parsing yarn release stdout for "New tag" lines; under the new ordering only changeset tag emits those lines, so each tag is pushed exactly once. Private package tags continue to be emitted by changeset tag and remain in the pushed set, matching prior behavior.

🟡 P2 -- recommended

• package.json:53 -- the new ordering introduces a failure mode where a successful changeset publish --no-git-tag leaves npm packages immutably published, and a subsequent failure of changeset tag would leave the repo without corresponding git tags, with no automatic rollback.
  • Fix: accept the trade-off and document it in the release runbook, or wrap npx changeset tag with a small retry/log step so an operator notices when tags lag a successful publish.

---

Reviewers (5): correctness, reliability, maintainability, project-standards, testing

Testing gaps: End-to-end behavior of yarn release under the changesets GitHub Action is only verifiable on the next real release; no automated regression test is feasible for this CI-script change.

[github-actions]

E2E Test Results

✅ All tests passed • 192 passed • 3 skipped • 1309s

Status	Count
✅ Passed	192
❌ Failed	0
⚠️ Flaky	3
⏭️ Skipped	3

Tests ran across 4 shards in parallel.

View full report →