GitHub Community 
-
Why are you starting this discussion?Question What GitHub Actions topic or product is this about?Misc Discussion DetailsMy general CI workflow for python projects is build -> test -> if-on-master-then-cut-tag -> if-tag-then-release-to-pypi Github actions/workflow imposes an intentional limitation of not triggering workflow run when GITHUB_TOKEN is used:
...which means when we push a tag from within a workflow, said tag won't trigger another job/workflow. How do y'all deal with this? Obvious way would be adding a PAT to repo, but that feels like a future maintenance hell and is generally suggested against throughout the documentation. Also, correct me if I'm wrong, but org-level secrets cannot be added to a regular user account. One hacky-ish way would be triggering workflow via rest call, but not sure how to do this when reusable workflows are in use (i.e. when one workflow calls another). Real-life example of a reusable workflow that's creating&pushing a tag: name: publishon: workflow_call: jobs: build-test: name: Build & testruns-on: ubuntu-latestpermissions: contents: readsteps: - uses: actions/checkout@v5with: persist-credentials: false - name: Set up Pythonuses: actions/setup-python@v5with: python-version: "3.x" - name: install dev/test depsrun: | pip install '.[dev]' - name: Testrun: | pytest - name: Install pypa/build & build the binary wheel/src tarballrun: | pip install build python -m build - name: Store the distribution packagesuses: actions/upload-artifact@v4with: name: release-distpath: dist/version-tag-changelog: name: Version & tag the releaseif: ${{github.ref == 'refs/heads/master' }}needs: - build-testruns-on: ubuntu-lateststeps: - uses: actions/checkout@v5with: persist-credentials: true - name: Configure gitrun: | git config --global user.name 'workflow-bot' git config --global user.email 'ci@github' - name: Install zestreleaser & cut a tagrun: | pip install zest.releaser fullrelease --no-input # <- note this will create a tag & push it back to our repo |
BetaWas this translation helpful?Give feedback.
Replies: 2 comments
-
good |
BetaWas this translation helpful?Give feedback.
-
GitHub blocks events created with GITHUB_TOKEN from triggering new workflow runs, so a tag pushed inside a workflow will not start another workflow. This is intentional and can’t be overridden. If you need the tag to trigger a release workflow, the only supported option is to use a fine-grained PAT stored as a secret (repo or org). Otherwise, keep the entire release process in a single workflow instead of relying on a second workflow triggered by the tag. User accounts don’t have org-level secrets, so PAT rotation must be done per repo. |
BetaWas this translation helpful?Give feedback.
GitHub blocks events created with GITHUB_TOKEN from triggering new workflow runs, so a tag pushed inside a workflow will not start another workflow. This is intentional and can’t be overridden.
If you need the tag to trigger a release workflow, the only supported option is to use a fine-grained PAT stored as a secret (repo or org). Otherwise, keep the entire release process in a single workflow instead of relying on a second workflow triggered by the tag.
User accounts don’t have org-level secrets, so PAT rotation must be done per repo.