0

I'm maintaining an open source project compress4j and had a working pipeline which triggered on tag. However, I've broken it down to allow PRs from forks to be able run the pipeline as certain stages uses secrets to which the forks don't have access.

ci.yaml

name: CI
on:
  push:
    branches:
      - main
    tags:
      - v*
  pull_request:
    branches:
      - main

jobs:

  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
...

sonar.yaml

name: Sonar
on:
  workflow_run:
    workflows:
      - CI
    types:
      - completed

jobs:
  build:
    name: Sonar
    runs-on: ${{ matrix.operating-system }}
    strategy:
      matrix:
        operating-system: [ ubuntu-latest, macos-12 ]
        java: [ 17, 21 ]
    if: >
      github.event.workflow_run.conclusion == 'success'
...

release.yaml

name: Release
on:
  workflow_run:
    workflows:
      - Sonar
    types:
      - completed
env:
  DEFAULT_JDK_VERSION: 17
jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' && startsWith(github.ref, 'refs/tags/v')}}
...

However, github.ref seems to be the branch even when a tag is pushed. How can I trigger the release workflow when previous worflows were sucessfull and a tag is pushed?

Improve this question
1
  • Did you try using ${{ github.ref_name }} to check the tag when pushed? Check this question to get some insights regarding the differences with ${{ github.ref }}. You'll probably have to add an if condition somewhere as you want to run the workflow for different types of event. Commented Aug 21, 2024 at 11:32

1 Answer 1

Reset to default
0

Yes, workflow_run always triggers your workflow on the default branch. In order to trigger a workflow on a tag, you may want to try triggering it yourself. In your CI workflow add this step:

  - name: Trigger release when a tag is pushed
    if: startsWith( github.ref, 'refs/tags' )
    run: |
      echo Trigger release on a tag
      gh workflow run --ref ${{ github.ref_name }} Sonar
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This will send a workflow_dispatch event to the Sonar workflow. Sonar workflow will have to have workflow_dispatch trigger.

Here, --ref sets the tag that will be used to run the workflow on. Sonar in the name of the workflow to trigger.

In order to be able to create workflow_dispatch event you need to checkout the repo using this step

- uses: actions/checkout@v4

and configure GitHub token with these permissions at the job level:

jobs:
  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}
    permissions:
      contents: read
      actions: write
    strategy:
    ....

or at the workflow level:

permissions:
  contents: read
  actions: write

jobs:
  ci:
    name: Build
    runs-on: ${{ matrix.operating-system }}

Alternatively, you could simply set GITHUB_TOKEN to have read/write permissions by default at the repo level in Settings/Actions/General/Workflow Permissions. You would still need a checkout.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Wouldn't this bypass the Sonar flow? Release need to trigger after Sonar too
Good point. There is a chain CI -> Sonar -> Release. Therefore CI would trigger Sonar which in turn will trigger Release.
I'm getting could not create workflow dispatch event: HTTP 403: Resource not accessible by integration but can't find what permissions I need
That is expected. Please see updated answer with correct permissions

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.