GitHub Actions on release created workflow trigger not working

Question

I have a GitHub Actions workflow implemented on the main branch of my repository which creates a new release of my package in GitHub. Then I have another workflow implemented which should be triggered on the creation of a release. This trigger, however, is not working.

Please note that GitHub abandoned their own actions/create-release@v1 project and advises to use the softprops release action.

My workflow template is as follows:

name: Main release

on:
  push:
    branches:
      - main

jobs:
  release:
    name: 'Release main'
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout source code'
        uses: 'actions/checkout@v2'
        with:
          ref: ${{ github.ref }
      - name: Release
        uses: softprops/action-gh-release@v1
        with:
          draft: false
          body_path: CHANGELOG.md
          name: ${{ steps.version.outputs.version }}
          tag_name: ${{ github.ref }}
          token: ${{ github.token }}

My on:release:created trigger workflow is as follows:

name: Act on release created

on:
  release:
    types: [created]

jobs:
  build:
    name: Build
    environment: dev_environment
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
      - name: Test
        run: |
          echo $RELEASE_VERSION
          echo ${{ env.RELEASE_VERSION }}

The release and tags are correctly added in GitHub, so everything looks to work fine except that the workflow that should be triggered on the release is not executed.

How do I solve this?

Answer 1

The GitHub Actions documentation on performing tasks in a workflow states the following:

When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs.

This means that you will have to create a personal access token and add this token to you repository secrets.

To generate a new personal access token go to your personal developer settings and generate a new token. Then go to your repository settings and add a new secret containing the personal access token, name it i.e. PAT.

In your release workflow template, replace:

token: ${{ github.token }}

With:

token: ${{ secrets.PAT }}

Now the on release created event the workflow will be triggered!

Note: This approach seems is a bit hacky, but is currently the only known workaround for this issue and can be considered a major design flaw of workflow integrations.

Answer 2

As an addendum to the answer given above, I found the workflow_run event trigger to work well for this use case:

on:
  workflow_run:
    workflows: ["Main release"]
    types: [completed]

You can add conditions for various release tags and all if required apart from this.

Answer 3

As an alternative to the Personal Access Token in the answer above (which has access to all of your repos), you can generate a dedicated SSH keypair for this purpose and add it to the repository as a Deploy Key. This makes sure that you have access to this single repository only, while it offers the flexibility to later add the deploy key to other repositories as well.

You can configure this as follows:

1. Generate an SSH keypair:

   ssh-keygen -N "" -f deploy_key -C "github-actions"
   

2. Add the private key (generated file deploy_key) as an encryped secret, e.g. COMMIT_KEY to the GitHub project.

   

3. Add the public key (generated file deploy_key.pub) as a deploy key with write access to the GitHub project. Tick the Allow write access checkbox.

   

4. When checking out the source code in your workflow, add the SSH key:

   - name: Checkout
     uses: actions/checkout@v3
     with:
       ssh-key: "${{secrets.COMMIT_KEY}}"
   

Subsequent push actions in the same workflow will then trigger any configured GitHub workflow as if they were pushed manually.