lifecycle: annotated tags need a tagger identity

git_tag_annotated planted failed/<id> + denied/<id> as annotated tags via 'git tag -a' — which produces a git object and therefore needs user.name + user.email. without a global git config on the host that fell through to 'fatal: unable to auto-detect email address (got root@muede-lpt2.(none))' and the tag never landed. pass the hive-c0re identity inline with -c user.name=… -c user.email=… (same shape git_commit already uses), so the applied repo's deny/failure audit tags get planted reliably without depending on the host user's git config.
2026-05-16 03:00:44 +02:00 · 2026-05-16 03:00:44 +02:00 · 8336017eda
commit 8336017eda
parent c2bf0aa4f1
1 changed files with 17 additions and 1 deletions
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@ -598,9 +598,25 @@ pub async fn git_tag(dir: &Path, name: &str, target: &str) -> Result<()> {
 /// have to escape anything.
 pub async fn git_tag_annotated(dir: &Path, name: &str, target: &str, body: &str) -> Result<()> {
    use tokio::io::AsyncWriteExt;
+    // Annotated tags are git objects, so they need a tagger identity
+    // (same constraint as a commit). Pass the hive-c0re identity
+    // inline rather than relying on a global git config — applied
+    // repos are hive-c0re-owned and the host's user might not have
+    // user.email set.
    let mut child = git_command()
        .current_dir(dir)
-        .args(["tag", "-a", name, target, "-F", "-"])
+        .args([
+            "-c",
+            &format!("user.name={GIT_NAME}"),
+            "-c",
+            &format!("user.email={GIT_EMAIL}"),
+            "tag",
+            "-a",
+            name,
+            target,
+            "-F",
+            "-",
+        ])
        .stdin(std::process::Stdio::piped())
        .stdout(std::process::Stdio::piped())
        .stderr(std::process::Stdio::piped())