Github actions workflow not triggering with tag push

[rach1416]

I have a workflow with 2 actions. The first action is triggered when a push is made to the branch and pushes new git tag and the second action is triggered when after a new tag is pushed. However, the second action is not triggering lately even though the tags are being created and pushed into git tags by the first action. Anyone else facing the same issue?

I am using the tag based build as below: also used create event. Nothing seems to work

on:
  push:
    tags:
      - '*'

[Yanjingzhu]

Do you have two workflows, one with an action to push new tags and the other be triggered by tag creation ? Which token do you use in the first action to create new tag?

There is a limitation of workflow: An action in a workflow run can’t trigger a new workflow run.

When you use GITHUB_TOKEN in your actions, all of the interactions with the repository are on behalf of the Github-actions bot. The operations act by Github-actions bot cannot trigger a new workflow run.

You can go to releases page to see the user who released a release.

Tag owner.png766×750 28.8 KB

I would suggest you use your own PAT when creating tags. You can store your PAT in secrets and use

${{ secrets.PATNAME } in your actions.

env:

   GITHUB_TOKEN: ${{ secrets. PATNAME }}

https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

[shamim-progton]

i am facing same above issue ,i have a workfow with push tags and i want to deploy in to AWS S3 but workflow is not runnung ....

[wparad]

There is a limitation of workflow: An action in a workflow run can’t trigger a new workflow run.

That's why you need this:
https://github.com/marketplace/actions/rebuild-stale-pullrequests

[airtower-luna]

@shamim-progton, as described in @Yanjingzhu's answer, a push using the GITHUB_TOKEN can't trigger workflows. You need to push the tags using a PAT (or over SSH) if you want workflows to run.

[rach1416]

Thanks a ton! It worked…

[inhumantsar]

Is there any possibility of this changing? Adding a PAT to every repo in our organisation is not a good option for two reasons:

* We would have to update every single repo anytime we need to roll the token.

* If we create a user specifically for this kind of task then we have to pay for an extra seat.

[bartfeenstra]

Is this still a known problem? I’ve got something similar going on, where one action creates a development release tag, and a second action creates packaged executables for releases, but the second action is never run. My releases/tags do have myself as the author, and not the bot.

[airtower-luna]

It’s still by design, see Using the GITHUB_TOKEN in a workflow:

When you use the repository’s GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs.

Note that this is not about who is the commit or tag author, but how the push is authorized.

[bartfeenstra]

Thanks for the reply! I should have been a bit clearer. I do use a custom authentication token for the push to push the tag, say master-dev (see the workflow at betty/tag-dev.yml at d86e925add3fba3bb46837ed1065a226fe09b914 · bartfeenstra/betty · GitHub), but only when I push master-dev from my local machine, does the release package workflow run (betty/publish-windows-exe.yml at d86e925add3fba3bb46837ed1065a226fe09b914 · bartfeenstra/betty · GitHub). I’ve been staring at this for a while, but am unsure what’s missing.

[pkernevez]

A such limitation is ‘by design’ ?
We are setting up a manual workflow for our releases to avoid manual mistakes.
How this workflow is able to schedule builds, packagings and deployments on the tags and branches it creates ?
Using a personal token is not an acceptable answer as personal token are not scope to an organisation. I don’t want to setup a token on an organisation that is able to do actions on another one.
Created technical accounts to do git push instead of the GIT_TOKEN is a security breach and a mess in term of maintenance.

[shrink]

pkernevez:

Using a personal token is not an acceptable answer as personal token are not scope to an organisation. I don’t want to setup a token on an organisation that is able to do actions on another one.

Deploy Keys offer the solution you’re looking for: they’re repository scoped! I’ve written a complete blog post called Trigger another GitHub Workflow — without using a Personal Access Token but in summary:

1. Create a Deploy Key
2. Add the private key as a Secret in your repository, e.g: COMMIT_KEY
3. Authenticate Git operations using the Deploy Key, e.g:

- uses: actions/checkout@v2
  with:
    ssh-key: "${{ secrets.COMMIT_KEY }}"

Any Git operation performed by your Workflow – e.g: a Push – will trigger Workflows, because GitHub does not restrict Deploy Keys.

[thejeff77]

yeah would be nice to have something that is scoped to be used by multiple repositories, or some way to have "GH Events" that another workflow can trigger off of so we're not subject to trying to use such means.

Eg:

emit_custom_events:
  - dev_env_built

on:
  push:
    custom_events:
      - dev_env_built

I understand there's a good reason for the restriction, but the use case is still a valid one with little support for an easy alternative.

[sousadiego11]

10/04/2024 - In my case o used the variable "token" and the actions/checkout@v4, also works perfecly.

[piotrekkr]

If you want to chain workflow runs you could try using workflow_run event.

on:
  workflow_run:
    workflows: [Run Tests]
    types:
      - completed

[pkernevez]

Thanks, it works.
Need to manage a lot of keys 😦

[wparad]

2023 and can confirm this still does not work.

There is a limitation of workflow: An action in a workflow run can’t trigger a new workflow run.

The only way around this is to use: https://github.com/marketplace/actions/rebuild-stale-pullrequests

[infogulch]

It works for me. See https://github.com/mthom/scryer-prolog/pull/1842/files

[3bagorion33]

August 2023. Still not working

on:
  push:
    tags:
      - '*'

If I write

on:
  push:
    branches:
      - master
    tags:
      - '*'

then the environment variable

GITHUB_REF => refs/heads/master
GITHUB_REF_NAME => master

That is, the trigger is called by a branch push, not by a tag

[piotrekkr]

@3bagorion33 Just to be clear. You mean that git push origin tag_name does not trigger workflow run?

[wparad]

From inside another GitHub action job/workflow...correct

[piotrekkr]

Okay then this is probably what the answer is about. When you checkout without using user PAT it will use GITHUB_TOKEN (gha bot user). The same token will be used for push. Then way GITHUB_TOKEN is "designed" is so events generated by it will not trigger workflow runs. This was changed a bit in 2022 and GITHUB_TOKEN user is now allowed to trigger workflow_dispatch and repository_dispatch events. The rest of events is still not allowed I think.

[wparad]

Right which means that you can't do this without using a user bound PAT, which has its own security implications and complexity as a workaround for this problem. So what we are saying is really "this can't be achieved by default using obvious and simple semantics but requires the intervention of another service/backend/complexity". Or as I pointed out above, you a dock such as this one, which is much better than a PAT https://github.com/marketplace/actions/rebuild-stale-pullrequests

[sousadiego11]

@wparad There are several ways to disclose your action, and i think this is not one of them. This issue has already been answered, and i do no think that your action fits the actual problem.

[rathboma]

Oh man, just hit this (Oct 2024!). I have no idea why it would be designed this way, but wow is this inconvenient. Not sure why it matters if a tag comes from me or from another workflow, a tag is a tag, and should trigger any workflows that depend on tags.

[mkadricogito]

There is no way , we will start to add users PATs in our workflow, seems a bit odd tbh

Got bitten by this today