Open-issue triage sweep (2026-05-10): 14 issues classified, 3 fix PRs

[bearomorphism]

Summary

Open-issue triage sweep performed on 2026-05-10. All 14 then-open issues were
classified and (where appropriate) reproduced; bug/doc fixes have PRs.
Each issue also got an inline triage comment with the same classification
plus a workaround where one is reasonable.

Filing this as a tracking issue so a maintainer can:

1. Confirm or correct my classifications.
2. Land the three fix PRs below.
3. Decide which of the feature requests are accepted vs. closed.
4. Close the no-action / question issues that have a clear answer.

I'm not a maintainer here, so I have not applied labels or closed anything.

Bug / doc fixes -- PRs open

Issue	PR	What it fixes
#106	#112	README.md reference links to commitizen docs (404 -> 200)
#82	#113	Strip git commit summary from changelog_increment_filename output by forcing --git-output-to-stderr when that input is set
#94	#114	Report the new version on outputs.version when commit: false is combined with a version_provider that does not write a tracked file (e.g. scm). Captures via cz bump --get-next before the real bump

All three were reproduced on a fresh repo before the fix; PRs include
before/after evidence. PR #114 was iterated once after a code review
caught an incompatibility with cz < 4.10.1 (commitizen-tools/commitizen#1640).

Feature requests (out of scope for the bug/doc sweep)

Each of these has a workaround posted on the issue.

• Add output for next/previous tag #105 -- output next_tag / previous_tag (currently only version is exposed)
• [feature] cz action to output commit sha #98 -- output the bump commit SHA so downstream actions/checkout can use it
• Allow for "tag already exists" in cz bump github action #89 -- option to skip / continue when the target tag already exists (re-run safety)
• Feature Request: Option To Automatically Update Major and Minor Version Tags #23 -- option to auto-update floating vX / vX.Y tags inside users' own bump jobs
  (this repo itself already publishes such tags via the ci/publish-major-minor-tag workflow from ci: publish major and minor tags #88)

Usage questions / user-config (no code change)

• Bumping when resolving merge conflicts #86 -- merge-conflict bumping CHANGELOG.md across dev/staging/main;
  workflow design issue, fixable on the user's side with the existing
  if: ""!startsWith(github.event.head_commit.message, 'bump:')"" skip
  guard plus restricting bumps to the release branch.
• How to use pre_bump_hook scripts with this action #78 -- pre_bump_hook scripts inside the Docker container action;
  by-design limitation. Workarounds: install cz directly on the
  runner, use extra_requirements, or move hook work to a separate
  workflow step.
• Action does not find a specified file in version_files #83 -- Action does not find a specified file in version_files;
  already addressed by the working_directory input added in feat: add working_directory input #90,
  after this issue was filed. Likely closeable.
• [BUG]: Unstaged Changes #80 -- cannot pull with rebase: You have unstaged changes; not
  reproducible inside the action's own steps. Almost always caused by
  an earlier step in the same job dirtying the workspace.
• Possible race condition when commitizen-action is triggered twice by two different pushes #101 -- race condition between two pushes triggering overlapping
  bump runs; not a code defect, fixable with a workflow-level
  concurrency: group. Worth a README note.
• gpg: signing failed: No secret key #72 -- GPG signing (No secret key); gpg-agent was added by
  the merged feat: add gpg-agent #104 which removes the probably not installed error,
  but the underlying host -> container ~/.gnupg mount mismatch is
  outside this action. Best fix is a README addition documenting
  @rexut's workaround posted in
  gpg: signing failed: No secret key #72 (comment).

Meta

• Reporting a vulnerability #67 -- private vulnerability reporting; needs a repo admin to enable
  it under Settings -> Security -> Code security and analysis.

Suggested next actions for maintainers

• Land or push back on docs: fix broken commitizen documentation links #112, fix: keep git output out of the changelog increment file #113, fix: report new version when commit is false and no version files update #114.
• Close Action does not find a specified file in version_files #83 (already supported via working_directory).
• Close [BUG]: Unstaged Changes #80 (user-environment, not the action).
• Decide on labels / status for the feature requests (Add output for next/previous tag #105, [feature] cz action to output commit sha #98, Allow for "tag already exists" in cz bump github action #89, Feature Request: Option To Automatically Update Major and Minor Version Tags #23).
• Enable Private Vulnerability Reporting (Reporting a vulnerability #67) and close it.
• Optional doc additions to README.md for gpg: signing failed: No secret key #72 (GPG mount workaround) and Possible race condition when commitizen-action is triggered twice by two different pushes #101 (concurrency group).

cc @woile @Lee-W