The documentation on Using the GITHUB_TOKEN in a workflow explains this behavior:

When you use the repository’s GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository’s GITHUB_TOKEN , a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

It you want the push to trigger a new workflow you need to use a PAT (personal access token) for authentication instead. Or you could try adding a workflow_run trigger to the build workflow to run it when the tag workflow completes.

@airtower-luna,

By default, the checkout action uses ${{ github.token }} (that is the GITHUB_TOKEN) as the authentication token, and set persist-credentials as true.
In this situation, the GITHUB_TOKEN will be used to configure the local git config, and the git commands in the subsequent steps of the same job will use this GITHUB_TOKEN as the authentication token. Even if you provide another token (such as a PAT) in the subsequent steps.
More details, see the input parameters of checkout action:

• token
• persist-credentials

As @airtower-luna mentioned, the GITHUB_TOKEN can’t trigger new workflow run, you need to use a personal access token (PAT).

In your case, if you want to trigger the workflow with the push, you can try like as this:
Use a PAT as the value of the input token on the checkout action in your workflow, and persist-credentials still is true. In this way the PAT will be used to configure the local git config.

steps:
  - name: Checkout
    uses: actions/checkout@v2
    with:
      token: ${{ secrets.GITHUB_PAT }}
      fetch-depth: 0

name: Tag

run: |

. . .

Thank you for the quick and educating responses. I chose to use workflow_run trigger as suggested and it did the job beautifully.

Unfortunately my conclusions were premature:

• workflow_run trigger indeed triggers the build workflow, but it runs on HEAD, not on the created tag which misses the point obviously (my build workflow has “release” as its final step that runs only if the build git ref is tag)
• Using PAT is a security breach IMHO - if I generate a PAT and load it as GH secret for GH Actions to use, it gives anyone with write access to the repo access to this token and hence to everything this token has a access to (including my other repos, etc.). I wish there could be a way to scope a PAT to a particular repo only but I can’t find any sane [1] way to do it

So I’m back to square one 😑

[1] Limiting scope of a PAT to a single repository