how to trigger workfow from a tag pushed from a workflow? #179550
-
Why are you starting this discussion?Question What GitHub Actions topic or product is this about?Misc Discussion DetailsMy general CI workflow for python projects is build -> test -> if-on-master-then-cut-tag -> if-tag-then-release-to-pypi Github actions/workflow imposes an intentional limitation of not triggering workflow run when GITHUB_TOKEN is used:
...which means when we push a tag from within a workflow, said tag won't trigger another job/workflow. How do y'all deal with this? Obvious way would be adding a PAT to repo, but that feels like a future maintenance hell and is generally suggested against throughout the documentation. Also, correct me if I'm wrong, but org-level secrets cannot be added to a regular user account. One hacky-ish way would be triggering workflow via rest call, but not sure how to do this when reusable workflows are in use (i.e. when one workflow calls another). Real-life example of a reusable workflow that's creating&pushing a tag: name: publish
on:
workflow_call:
jobs:
build-test:
name: Build & test
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v5
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: install dev/test deps
run: |
pip install '.[dev]'
- name: Test
run: |
pytest
- name: Install pypa/build & build the binary wheel/src tarball
run: |
pip install build
python -m build
- name: Store the distribution packages
uses: actions/upload-artifact@v4
with:
name: release-dist
path: dist/
version-tag-changelog:
name: Version & tag the release
if: ${{ github.ref == 'refs/heads/master' }}
needs:
- build-test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
persist-credentials: true
- name: Configure git
run: |
git config --global user.name 'workflow-bot'
git config --global user.email 'ci@github'
- name: Install zestreleaser & cut a tag
run: |
pip install zest.releaser
fullrelease --no-input # <- note this will create a tag & push it back to our repo |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
good |
Beta Was this translation helpful? Give feedback.
-
|
GitHub blocks events created with GITHUB_TOKEN from triggering new workflow runs, so a tag pushed inside a workflow will not start another workflow. This is intentional and can’t be overridden. If you need the tag to trigger a release workflow, the only supported option is to use a fine-grained PAT stored as a secret (repo or org). Otherwise, keep the entire release process in a single workflow instead of relying on a second workflow triggered by the tag. User accounts don’t have org-level secrets, so PAT rotation must be done per repo. |
Beta Was this translation helpful? Give feedback.
GitHub blocks events created with GITHUB_TOKEN from triggering new workflow runs, so a tag pushed inside a workflow will not start another workflow. This is intentional and can’t be overridden.
If you need the tag to trigger a release workflow, the only supported option is to use a fine-grained PAT stored as a secret (repo or org). Otherwise, keep the entire release process in a single workflow instead of relying on a second workflow triggered by the tag.
User accounts don’t have org-level secrets, so PAT rotation must be done per repo.