I'm maintaining an open source project compress4j and had a working pipeline which triggered on tag. However, I've broken it down to allow PRs from forks to be able run the pipeline as certain stages uses secrets to which the forks don't have access.
ci.yaml
name: CI
on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main
jobs:
ci:
name: Build
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ ubuntu-latest, macos-12 ]
java: [ 17, 21 ]
...
sonar.yaml
name: Sonar
on:
workflow_run:
workflows:
- CI
types:
- completed
jobs:
build:
name: Sonar
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: [ ubuntu-latest, macos-12 ]
java: [ 17, 21 ]
if: >
github.event.workflow_run.conclusion == 'success'
...
release.yaml
name: Release
on:
workflow_run:
workflows:
- Sonar
types:
- completed
env:
DEFAULT_JDK_VERSION: 17
jobs:
release:
name: Release
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.ref, 'refs/tags/v')}}
...
However, github.ref
seems to be the branch even when a tag is pushed. How can I trigger the release workflow when previous worflows were sucessfull and a tag is pushed?
Yes, workflow_run
always triggers your workflow on the default branch. In order to trigger a workflow on a tag, you may want to try triggering it yourself. In your CI workflow add this step:
- name: Trigger release when a tag is pushed
if: startsWith( github.ref, 'refs/tags' )
run: |
echo Trigger release on a tag
gh workflow run --ref ${{ github.ref_name }} Sonar
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This will send a workflow_dispatch
event to the Sonar workflow. Sonar workflow will have to have workflow_dispatch
trigger.
Here, --ref sets the tag that will be used to run the workflow on. Sonar in the name of the workflow to trigger.
In order to be able to create workflow_dispatch
event you need to
checkout the repo using this step
- uses: actions/checkout@v4
and configure GitHub token with these permissions at the job level:
jobs:
ci:
name: Build
runs-on: ${{ matrix.operating-system }}
permissions:
contents: read
actions: write
strategy:
....
or at the workflow level:
permissions:
contents: read
actions: write
jobs:
ci:
name: Build
runs-on: ${{ matrix.operating-system }}
Alternatively, you could simply set GITHUB_TOKEN to have read/write permissions by default at the repo level in Settings/Actions/General/Workflow Permissions. You would still need a checkout.