githubgithub-actionsreleasecicd

Github Actions workflow_run condition on tag


I'm maintaining an open source project compress4j and had a working pipeline which triggered on tag. However, I've broken it down to allow PRs from forks to be able run the pipeline as certain stages uses secrets to which the forks don't have access.

ci.yaml

name: CI
on:
  push:
    branches:
      - main
    tags:
      - v*
  pull_request:
    branches:
      - main

jobs:

  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
...

sonar.yaml

name: Sonar
on:
  workflow_run:
    workflows:
      - CI
    types:
      - completed

jobs:
  build:
    name: Sonar
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
    if: >
      github.event.workflow_run.conclusion == 'success'
...

release.yaml

name: Release
on:
  workflow_run:
    workflows:
      - Sonar
    types:
      - completed
env:
  DEFAULT_JDK_VERSION: 17
jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.ref, 'refs/tags/v')}}
...

However, github.ref seems to be the branch even when a tag is pushed. How can I trigger the release workflow when previous worflows were sucessfull and a tag is pushed?


Solution

  • Yes, workflow_run always triggers your workflow on the default branch. In order to trigger a workflow on a tag, you may want to try triggering it yourself. In your CI workflow add this step:

      - name: Trigger release when a tag is pushed
        if: startsWith( github.ref, 'refs/tags' )
        run: |
          echo Trigger release on a tag
          gh workflow run --ref ${{ github.ref_name }} Sonar
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    

    This will send a workflow_dispatch event to the Sonar workflow. Sonar workflow will have to have workflow_dispatch trigger.

    Here, --ref sets the tag that will be used to run the workflow on. Sonar in the name of the workflow to trigger.

    In order to be able to create workflow_dispatch event you need to checkout the repo using this step

    - uses: actions/checkout@v4
    

    and configure GitHub token with these permissions at the job level:

    jobs:
      ci:
        name: Build
        runs-on: ${{ matrix.operating-system }}
        permissions:
          contents: read
          actions: write
        strategy:
        ....
    

    or at the workflow level:

    permissions:
      contents: read
      actions: write
    
    jobs:
      ci:
        name: Build
        runs-on: ${{ matrix.operating-system }}
    

    Alternatively, you could simply set GITHUB_TOKEN to have read/write permissions by default at the repo level in Settings/Actions/General/Workflow Permissions. You would still need a checkout.