We received a dependabot notification for an update of sonarqube-scan-action to v3 but there was no associated changelog.
When looking at the repository (GitHub - SonarSource/sonarqube-scan-action), there are some git tags corresponding to the v3, but no release (the last release it v2.3.0).
In the GitHub marketplace (Official SonarQube Scan · Actions · GitHub Marketplace · GitHub), the last version seems also to be the version 2.3.0.
Finally, the commit corresponding to this v3 seems reverted on the main branch, so I’m very confused.
What is the status of this v3. Is it officially released? Should we update our workflows to this version of keep the v2.3.0?
Just providing some feedback on that - I don’t believe you should have deleted that tag. Once a tag is publicly available, tools like Renovate may automatically make pull requests that are potentially automatically merged assuming that CI passes, and deleting what is essentially a released version can break people’s builds. This is exactly what happened to us. If a release accidentally occurs, you should release a subsequent patch that reverts it, not delete the release. If that means needing to cut v4 in the future because v3 was automatically released, then so be it - that is what semantic versioning requires. If there are bugs in the release, then they should have been fixed via normal patches.