Skip to content

fix: intercept duplicate workflow execution from automated tag pushes#10

Merged
westkevin12 merged 1 commit into
mainfrom
bug/fix-duplicate-release-trigger
Jun 2, 2026
Merged

fix: intercept duplicate workflow execution from automated tag pushes#10
westkevin12 merged 1 commit into
mainfrom
bug/fix-duplicate-release-trigger

Conversation

@westkevin12
Copy link
Copy Markdown
Member

@westkevin12 westkevin12 commented Jun 2, 2026

Description

This PR closes #9 resolving an issue in our release pipeline where merging into main fires the 📦 Packaging, Signed Release & Container Publishing job twice for the same commit. The initial run successfully packages the assets and creates the tag, while the second run consistently fails out on our organization's asset immutability checks.

🕵️‍♂️ Root Cause Analysis

  • The Loop Trigger: The release.yml workflow triggers on both pushes to main and pushes matching version tags (v*).
  • Bypassing Loop Prevention: During a merge to main, the pipeline compiles and calls softprops/action-gh-release@v2 using secrets.MCP_PAT. Because this Personal Access Token belongs to an external service account (mcpwest) rather than the default GITHUB_TOKEN, GitHub's native workflow loop prevention is bypassed. The automated creation of the release tag triggers the workflow a second time.
  • Immutability Failure: On the duplicate run, the release action attempts to overwrite the existing release by dropping and re-uploading assets (♻️ Deleting previously uploaded asset...). Because the DigitalServerHost organization enforces immutable release rules, the GitHub API rejects the deletion with a validation error, forcing a red pipeline run despite the artifacts already being securely deployed.

🛠️ Changes Implemented

  • Updated the conditional check (if:) on the packaging and release job to explicitly evaluate the event actor.
  • The pipeline now intercepts and ignores tag push triggers if they are initiated by the mcpwest service account.
  • Retained Coverage: Manual tag pushes from core maintainers (e.g., westkevin12 or gatchimuchio) and standard merges to main will continue to trigger releases normally.

📝 Workflow Changes

     name: "📦 Packaging, Signed Release & Container Publishing"
     needs: quality-gates
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || (startsWith(github.ref, 'refs/tags/v') && github.actor != 'mcpwest'))
     runs-on: ubuntu-latest

Verification Logs

  • Checked YAML structure viability via a safe parser.
  • Verified that the initial main push workflow run still retains all proper execution properties.

@westkevin12 westkevin12 merged commit 868bf18 into main Jun 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: Duplicate Release Workflow Trigger on Merge to Main causes Immutable Asset Failure

1 participant

@westkevin12