e2e.git.push silently fails to force-update existing tags on the embedded GitLab/Gitea

[jeanjerome]

Summary

e2e.git.push in scripts/lib/e2e/lib/push.sh reports a successful push to embedded GitLab/Gitea but does not actually update existing tags. Subsequent briklab test --gitlab --project X runs reuse the stale tag content, silently shipping out-of-date brik code to the runner.

Impact

When iterating on brik locally and running briklab test --gitlab --project node-minimal to validate changes, the test executes the FIRST pushed version of v0.1.0 — not the current working tree. This wastes debug cycles and produces misleading "the change doesn't work" conclusions when in fact the change was never deployed.

Concretely, during the glow rendering debugging on 2026-05-23, I edited lib/stages/notify.sh 4 times and re-ran the E2E each time. None of the edits reached the runner because the tag v0.1.0 on the embedded GitLab stayed at the morning commit (be013f3151 "Initial commit"). Only direct API-level tag force-pushes (git push origin +refs/tags/v0.1.0) worked.

Reproduction

cd /path/to/briklab
# 1. Initial push works
./scripts/briklab.sh test --gitlab --project node-minimal  # tag v0.1.0 set to commit A

# 2. Edit a file in ../brik/lib/stages/notify.sh
echo "# changed" >> ../brik/lib/stages/notify.sh

# 3. Re-run
./scripts/briklab.sh test --gitlab --project node-minimal
# Expected: tag v0.1.0 updated to commit B with the new content
# Actual:   tag v0.1.0 stays at commit A. Push log says "Pushed brik/brik with tag v0.1.0" but the tag is unchanged.

Verify via API:

curl -s -H "PRIVATE-TOKEN: $PAT" \
  http://gitlab.briklab.test:8929/api/v4/projects/2/repository/tags/v0.1.0 \
  | jq '.target'
# Same SHA as before, despite the "Pushed" message

Root cause analysis

In scripts/lib/e2e/lib/git.sh, e2e.git.push invokes:

git -c "credential.username=${username}" push -u origin main --tags $flags >/dev/null 2>&1

where $flags = "--force" (passed by callers).

Per git's documentation, git push --tags --force:

• creates tags that do not exist on the remote
• but refuses to update an EXISTING tag on the remote unless the refspec is explicit (+refs/tags/<tag>:refs/tags/<tag>) OR you use --force-with-lease per tag

Combined with the script's >/dev/null 2>&1 redirect, the "tag rejected" message is hidden and the function returns 0 (because the main ref push succeeded). The caller thinks everything worked.

Suggested fix

Replace the single push with two explicit pushes, OR use +refs/... refspec for tags:

git -c "credential.username=${username}" push -u origin main $flags 2>&1 \
  || return 1
if [[ -n "$tag" ]]; then
    git -c "credential.username=${username}" push origin "+refs/tags/${tag}" 2>&1 \
        || return 1
fi

The + prefix on the refspec forces tag update unconditionally.

Also: drop the >/dev/null 2>&1 so push errors surface to the caller. The function already checks the exit code; the silent redirect hides actionable diagnostics.

Related

Debugging trace lives in the brik PR #22 conversation (chore/notify-glow-banner branch). The glow rendering fix had to be force-pushed via manual git push +refs/tags/v0.1.0 to make the E2E test actually exercise the new code.