Git push from a manual workflow it doesn't trigger other on-push workflow

Good day,

I have workflow in my repo to trigger build on push (including tags). When I create and push tags from my laptop it’s triggered just fine.
I then went ahead and created a manual (workflow_dispatch) workflow to tag a new release in my repo (similar to what I do on my laptop). However when I run this workflow and it does tag/push successfully the on-push workflow doesn’t trigger.

What am I missing?

My manual workflow is below. Using the same make bumpver from my laptop shell works as expected triggering build in GH.

name: Tag

on:
  workflow_dispatch: {}

jobs:
  tag:
    name: Tag new version
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2
      with:
        fetch-depth: 0

    - name: Tag
      run: |
        set -x
        git config --local user.email "action@github.com"
        git config --local user.name "${{ github.actor }}"
        export PATH=$HOME/.local/bin:$PATH
        python3 -m pip install --upgrade pip --user
        which pip
        pip install bumpver --user
        make release
      env:
        LC_ALL: C.UTF-8

The documentation on Using the GITHUB_TOKEN in a workflow explains this behavior:

When you use the repository’s GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository’s GITHUB_TOKEN , a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

It you want the push to trigger a new workflow you need to use a PAT (personal access token) for authentication instead. Or you could try adding a workflow_run trigger to the build workflow to run it when the tag workflow completes.

@airtower-luna,

By default, the checkout action uses ${{ github.token }} (that is the GITHUB_TOKEN) as the authentication token, and set persist-credentials as true.
In this situation, the GITHUB_TOKEN will be used to configure the local git config, and the git commands in the subsequent steps of the same job will use this GITHUB_TOKEN as the authentication token. Even if you provide another token (such as a PAT) in the subsequent steps.
More details, see the input parameters of checkout action:

As @airtower-luna mentioned, the GITHUB_TOKEN can’t trigger new workflow run, you need to use a personal access token (PAT).

In your case, if you want to trigger the workflow with the push, you can try like as this:
Use a PAT as the value of the input token on the checkout action in your workflow, and persist-credentials still is true. In this way the PAT will be used to configure the local git config.

steps:
  - name: Checkout
    uses: actions/checkout@v2
    with:
      token: ${{ secrets.GITHUB_PAT }}
      fetch-depth: 0

- name: Tag
  run: |
    . . .
1 Like

Thank you for the quick and educating responses. I chose to use workflow_run trigger as suggested and it did the job beautifully.

1 Like

Unfortunately my conclusions were premature:

  • workflow_run trigger indeed triggers the build workflow, but it runs on HEAD, not on the created tag which misses the point obviously (my build workflow has “release” as its final step that runs only if the build git ref is tag)
  • Using PAT is a security breach IMHO - if I generate a PAT and load it as GH secret for GH Actions to use, it gives anyone with write access to the repo access to this token and hence to everything this token has a access to (including my other repos, etc.). I wish there could be a way to scope a PAT to a particular repo only but I can’t find any sane [1] way to do it

So I’m back to square one :expressionless:

[1] Limiting scope of a PAT to a single repository

After more research, using a deploy key results in quite reasonable setup to achieve what I want:

  • Created dedicated SSH key pair on my computer.
  • Registered the public part as a deploy key for the repo in question with write access
  • Loaded the private part as the DEPLOY_KEY_CI_TAGGING GH Secret

Here is the full workflow:

name: Tag

on:
  workflow_dispatch: {}

jobs:
  tag:
    name: Tag new version
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2
      with:
        fetch-depth: 0

    # https://github.community/t/git-push-from-a-manual-workflow-it-doesnt-trigger-other-on-push-workflow/139190/5
    - name: Switch git credentials to RW
      uses: webfactory/ssh-agent@v0.4.1
      with:
        ssh-private-key: ${{ secrets.DEPLOY_KEY_CI_TAGGING }}

    - name: Tag
      run: |
        set -x
        git config --local user.email "action@github.com"
        git config --local user.name "${{ github.actor }}"
        # Force using the SSH credentials from the previous step
        git remote set-url origin git@github.com:${{ github.repository }}.git
        make release  # create tag, push tag, etc.
      env:
        LC_ALL: C.UTF-8

Thank you all again for the information provided.