Fix workflow triggers: use personal access token for tag pushes #82
Description
Problem
The publish/release workflow did not trigger as expected when the auto-tag workflow added a tag on main.
Diagnosis
- The
.github/workflows/auto-tag.yamlworkflow pushes a tag usingGITHUB_TOKENafter a version change. - The
.github/workflows/release.yamlworkflow is configured to trigger onpushto tags matchingv*. - However, GitHub Actions does NOT trigger a workflow when a tag is pushed using
GITHUB_TOKEN. This is documented by GitHub and is a security feature to prevent recursive workflow runs:When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run.
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow - As a result, although the tag is pushed successfully, the
release.yamlworkflow does not run.
Solution
- Use a Personal Access Token (PAT) or GitHub App token instead of
GITHUB_TOKENin theauto-tag.yamlworkflow to push the tag. - Steps:
- Create a PAT with
repopermissions and add it as a secret (e.g.,PAT_TOKEN) in repository settings. - Update actions/checkout and tag/push steps in
auto-tag.yaml:and,- uses: actions/checkout@v4 with: fetch-depth: 0 token: ${{ secrets.PAT_TOKEN }} # Use PAT for push actions
git push origin "$TAG" # use PAT authentication
- Create a PAT with
References
- GitHub Documentation: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
- Current workflow files:
Acceptance Criteria
- Tag pushes by auto-tag workflow should trigger downstream workflows that reference the tag push event.
- Document and test the change to confirm the release workflow now triggers consistently.