You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unity-Developer-Tools' release pipeline now leaks the build zip artifact into main on every release. Two artifacts already landed: unity-developer-tools-v1.4.3.zip and unity-developer-tools-v1.4.4.zip, both committed by github-actions[bot] in the bump-version commit.
Root cause
DTD#51 fix flipped Unity's release.yml bump-commit step from selective git add .cursor-plugin/plugin.json README.md CHANGELOG.md to git add -A. The intent was to capture release-doc-sync's CLAUDE.md and ROADMAP.md edits, which it correctly does.
Unintended side effect: the selective add was incidentally protecting main from the zip artifact that the Build plugin zip step creates in the working tree. git add -A now stages the zip alongside everything else. There is no *.zip entry in .gitignore, so nothing else stops it.
The Build plugin zip step has been in release.yml since aafad1a (2026-04-08, 18 days of releases that uploaded zips to release assets without leaking them into main). The leak only started after the DTD#51 fix landed in PR #13.
CFX is unaffected (no zip-build step in CFX's release.yml).
Damage so far
2 zip files in main, ~247 KB total (~123 KB per release)
Per-release growth: ~123 KB
Unbounded if left alone (~6 MB after 50 releases at current rate)
No user-facing documentation references the in-main zip; install path is git clone. The zip is intended for release-asset consumption only.
The .gitignore entry is the structural fix; it makes the zip artifact invisible to git regardless of which git add shape is used. Eliminates the latent coupling permanently.
Alternative options considered:
Option 1 (git add -A -- ':!*.zip'): more surgical, but preserves the latent coupling and adds workflow complexity.
Option 3 (reorder release.yml steps so zip builds after the bump-commit): defense-in-depth on top of Option 2, but overengineered for a single-asset workflow.
Out of scope
Other tool repos: scanned, no other repos have zip-build steps in their release.yml. Unity is the only affected repo.
Tracker
Filed alongside the fix that closes it (same session). Issue exists for permanent audit trail of the regression.
Summary
Unity-Developer-Tools' release pipeline now leaks the build zip artifact into
mainon every release. Two artifacts already landed:unity-developer-tools-v1.4.3.zipandunity-developer-tools-v1.4.4.zip, both committed bygithub-actions[bot]in the bump-version commit.Root cause
DTD#51 fix flipped Unity's release.yml bump-commit step from selective
git add .cursor-plugin/plugin.json README.md CHANGELOG.mdtogit add -A. The intent was to capture release-doc-sync's CLAUDE.md and ROADMAP.md edits, which it correctly does.Unintended side effect: the selective add was incidentally protecting main from the zip artifact that the
Build plugin zipstep creates in the working tree.git add -Anow stages the zip alongside everything else. There is no*.zipentry in.gitignore, so nothing else stops it.The
Build plugin zipstep has been in release.yml since aafad1a (2026-04-08, 18 days of releases that uploaded zips to release assets without leaking them into main). The leak only started after the DTD#51 fix landed in PR #13.CFX is unaffected (no zip-build step in CFX's release.yml).
Damage so far
git clone. The zip is intended for release-asset consumption only.Recommended fix (Option 2 from investigation)
*.zipto Unity-Developer-Tools'.gitignoregit rmthe two existing zips from mainfix:prefix, closes Unity release.yml leaks build zip into main after DTD#51 fix (regression) #55The .gitignore entry is the structural fix; it makes the zip artifact invisible to git regardless of which git add shape is used. Eliminates the latent coupling permanently.
Alternative options considered:
git add -A -- ':!*.zip'): more surgical, but preserves the latent coupling and adds workflow complexity.Out of scope
Tracker
Filed alongside the fix that closes it (same session). Issue exists for permanent audit trail of the regression.