githubgithub-actionsreleasecicd

Github Actions workflow_run condition on tag

I'm maintaining an open source project compress4j and had a working pipeline which triggered on tag. However, I've broken it down to allow PRs from forks to be able run the pipeline as certain stages uses secrets to which the forks don't have access.

ci.yaml

name: CI
on:
  push:
    branches:
      - main
    tags:
      - v*
  pull_request:
    branches:
      - main

jobs:

  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
...

sonar.yaml

name: Sonar
on:
  workflow_run:
    workflows:
      - CI
    types:
      - completed

jobs:
  build:
    name: Sonar
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
    if: >
      github.event.workflow_run.conclusion == 'success'
...

release.yaml

name: Release
on:
  workflow_run:
    workflows:
      - Sonar
    types:
      - completed
env:
  DEFAULT_JDK_VERSION: 17
jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.ref, 'refs/tags/v')}}
...

However, github.ref seems to be the branch even when a tag is pushed. How can I trigger the release workflow when previous worflows were sucessfull and a tag is pushed?

Solution

  • Yes, workflow_run always triggers your workflow on the default branch. In order to trigger a workflow on a tag, you may want to try triggering it yourself. In your CI workflow add this step:

      - name: Trigger release when a tag is pushed
    if: startsWith( github.ref, 'refs/tags' )
    run: |
      echo Trigger release on a tag
      gh workflow run --ref ${{ github.ref_name }} Sonar
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    This will send a workflow_dispatch event to the Sonar workflow. Sonar workflow will have to have workflow_dispatch trigger.

    Here, --ref sets the tag that will be used to run the workflow on. Sonar in the name of the workflow to trigger.

    In order to be able to create workflow_dispatch event you need to checkout the repo using this step

    - uses: actions/checkout@v4

    and configure GitHub token with these permissions at the job level:

    jobs:
  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}
    permissions:
      contents: read
      actions: write
    strategy:
    ....

    or at the workflow level:

    permissions:
  contents: read
  actions: write

jobs:
  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}

    Alternatively, you could simply set GITHUB_TOKEN to have read/write permissions by default at the repo level in Settings/Actions/General/Workflow Permissions. You would still need a checkout.