From ca3fa1ce854c0afdfd122895d70a02086f673334 Mon Sep 17 00:00:00 2001 From: sherwinski Date: Thu, 21 May 2026 16:25:27 -0700 Subject: [PATCH] ci: auto-tag release commits and fix publish-svn permissions Adds a tag-on-merge workflow that pushes a vX.Y.Z tag when a "chore: Release X.Y.Z" commit lands on main or v2, so the tag- triggered publish-svn workflows fire automatically and the release pipeline runs end-to-end without a manual git tag step. The tag is pushed using GH_PUSH_TOKEN; tags pushed with the default GITHUB_TOKEN do not trigger other workflows. Also fixes publish-svn{,-v2}.yml: the github-release reusable workflow declares pull-requests: read, but the caller jobs only granted contents: write, causing startup_failure with: The workflow is requesting 'pull-requests: read', but is only allowed 'pull-requests: none'. --- .github/workflows/publish-svn-v2.yml | 1 + .github/workflows/publish-svn.yml | 1 + .github/workflows/tag-on-release-merge.yml | 48 ++++++++++++++++++++++ 3 files changed, 50 insertions(+) create mode 100644 .github/workflows/tag-on-release-merge.yml diff --git a/.github/workflows/publish-svn-v2.yml b/.github/workflows/publish-svn-v2.yml index 3a948f0..748c54c 100644 --- a/.github/workflows/publish-svn-v2.yml +++ b/.github/workflows/publish-svn-v2.yml @@ -125,6 +125,7 @@ jobs: needs: publish permissions: contents: write + pull-requests: read uses: OneSignal/sdk-shared/.github/workflows/github-release.yml@main with: version: ${{ needs.publish.outputs.bare_version }} diff --git a/.github/workflows/publish-svn.yml b/.github/workflows/publish-svn.yml index 961c112..c3f9f2d 100644 --- a/.github/workflows/publish-svn.yml +++ b/.github/workflows/publish-svn.yml @@ -96,6 +96,7 @@ jobs: needs: publish permissions: contents: write + pull-requests: read uses: OneSignal/sdk-shared/.github/workflows/github-release.yml@main with: version: ${{ needs.publish.outputs.bare_version }} diff --git a/.github/workflows/tag-on-release-merge.yml b/.github/workflows/tag-on-release-merge.yml new file mode 100644 index 0000000..e562d95 --- /dev/null +++ b/.github/workflows/tag-on-release-merge.yml @@ -0,0 +1,48 @@ +name: Tag on Release Merge + +on: + push: + branches: + - main + - v2 + +permissions: + contents: write + +jobs: + tag: + runs-on: ubuntu-latest + if: startsWith(github.event.head_commit.message, 'chore: Release ') + steps: + - uses: actions/checkout@v5 + with: + fetch-depth: 0 + # PAT is required so the pushed tag triggers downstream tag-based + # workflows (publish-svn.yml / publish-svn-v2.yml). Tags pushed with + # the default GITHUB_TOKEN do not trigger other workflows. + token: ${{ secrets.GH_PUSH_TOKEN }} + + - uses: onesignal/sdk-shared/.github/actions/setup-git-user@main + + - name: Extract version and push tag + env: + MSG: ${{ github.event.head_commit.message }} + run: | + SUBJECT=$(printf '%s\n' "$MSG" | head -n 1) + + # Match: "chore: Release X.Y.Z" or "chore: Release X.Y.Z (#NNN)" + VERSION=$(echo "$SUBJECT" | sed -nE 's/^chore: Release ([0-9]+\.[0-9]+\.[0-9]+)( \(#[0-9]+\))?$/\1/p') + if [ -z "$VERSION" ]; then + echo "Commit subject is not a release commit; skipping: $SUBJECT" + exit 0 + fi + + TAG="v$VERSION" + if git rev-parse "refs/tags/$TAG" >/dev/null 2>&1; then + echo "Tag $TAG already exists; skipping." + exit 0 + fi + + echo "Tagging $TAG at $GITHUB_SHA" + git tag "$TAG" "$GITHUB_SHA" + git push origin "$TAG"