Pushing a tag within an action doesn't trigger another workflow

I have a node script that handles auto tagging for me:

// tag-bump-version.js
[...]
const tagAndPush = `git tag -a ${version} -m "${version}" && git push origin --tags ${process.env.GITHUB_SHA}:${process.env.GITHUB_REF}`

childProcess.execSync(tagAndPush, { cwd: '.' })

My action runs this script:

name: Tag Branch

on:
  push:
    branches:
      - master
      - development
      - sandbox
      - staging

[...]

      - name: Tag branch
        run: |
          git config --global user.name 'Github Actions'
          git config --global user.email 'alexcroox@users.noreply.github.com'
          node ./automation/tag-bump-version.js

This completes without errors and I can see the new tags locally so I know they’ve been pushed.

However another action I have that listens for changes in those tags, doesn’t run:

name: Development Deploy Web

on:
  push:
    tags:
      - 0.*

I know this action should run because when I pushed tags previously in an external CI/CD tool it triggered it correctly.

So my guess is my commit/push command from the development branch is missing something

I can’t see it in your workflow excerpt, but it looks like you’re using the GITHUB_TOKEN to authorize the push. In that case it won’t trigger new workflows by design (see Using the GITHUB_TOKEN in a workflow):

When you use the repository’s GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run.

If you want to trigger a workflow, you need to create a PAT and use that to authorize the push.

Thanks for additional info, I’m not using GITHUB_TOKEN no;

name: Tag Branch

on:
  push:
    branches:
      - master
      - development
      - sandbox
      - staging

concurrency:
  group: tag-branch-${{ github.ref }}
  cancel-in-progress: true

jobs:
  tag_branch:
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        os: [ubuntu-latest]
        node: [14]

    steps:
      - name: Checkout 🛎
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Setup node env 🏗
        uses: actions/setup-node@v2.4.0
        with:
          node-version: ${{ matrix.node }}

      - name: Cache node_modules
        id: cache
        uses: actions/cache@v2
        with:
          path: ./node_modules
          key: ${{ runner.os }}-node-npm-${{ secrets.ACTIONS_CACHE_VERSION }}-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-npm-

      - name: Install dependencies 👨🏻‍💻
        if: steps.cache.outputs.cache-hit != 'true'
        run: CYPRESS_INSTALL_BINARY=0 npm install

      - name: Post Install on cache hit
        if: steps.cache.outputs.cache-hit == 'true'
        run: npm run postinstall

      - name: Tag branch
        run: |
          git config --global user.name 'Github Actions'
          git config --global user.email 'alexcroox@users.noreply.github.com'
          node ./automation/tag-bump-version.js

I assumed github actions had access to push to the same repo as I’m not authing it at all as far as I can tell (no secrets called GITHUB_TOKEN or PAT either)

Looks like you are in fact using the GITHUB_TOKEN. :slightly_smiling_face:

That token is automatically created for each workflow run, and actions/checkout uses it to fetch repository data and sets the repository up to use it for pushing if you don’t provide any other token (see its token option). That’s why you can push without any additional secrets. :wink:

Just read some more, I have this set so that’s probably why:

What’s the best way of making sure my node script doesn’t use it, and instead uses a personal access token?

I think the easiest way is to use the token parameter for actions/checkout I mentioned above. Put the PAT in a secret, and do the checkout similar to this:

- uses: actions/checkout@v2
  with:
    token: ${{ secrets.MY_PAT }}
1 Like

This is now working, thank you so much!!!

1 Like