ci: run on all branches but release only from main via git tag detection

- Trigger CI on push for all branches and on pull_request - Detect SemVer release tags (vX.Y.Z) via git tag --points-at - Run publish-image and stable-tag only for tagged commits on main - Pass version_tag and sha to reusable workflows - Prevent tag pushes from triggering additional workflows https://chatgpt.com/share/e/699044d3-c1d8-8013-a40d-974d1fc69974
2026-02-14 11:02:58 +01:00
parent 00c012e553
commit 4bfa7433f4
3 changed files with 73 additions and 29 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,46 +2,75 @@ name: ci

 on:
  pull_request: {}
-  push: {}
+  push:
+    branches:
+      - "**"

 permissions:
  contents: write
  packages: write

 jobs:
-  detect-release:
-    runs-on: ubuntu-latest
-    outputs:
-      is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }}
-    steps:
-      - id: detect
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Only true for tag refs like v1.2.3 (no suffix)
-          if [[ "${GITHUB_REF}" == refs/tags/* ]] && [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "is_semver_tag=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_semver_tag=false" >> "$GITHUB_OUTPUT"
-          fi
-
  tests:
    uses: ./.github/workflows/reusable-test.yml
    with:
      python-version: "3.12"
      matomo-token-description: "ci-token"

+  detect-release:
+    # Only consider releases on main branch pushes (not PRs, not other branches)
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    outputs:
+      is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }}
+      version_tag: ${{ steps.detect.outputs.version_tag }}
+    steps:
+      - name: Checkout (full history for tags)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - id: detect
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+
+          # Tags that point to the current commit
+          TAGS="$(git tag --points-at "$GITHUB_SHA" || true)"
+
+          # Pick the first strict SemVer tag: vX.Y.Z
+          VERSION_TAG="$(echo "$TAGS" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n1 || true)"
+
+          if [ -n "$VERSION_TAG" ]; then
+            echo "is_semver_tag=true" >> "$GITHUB_OUTPUT"
+            echo "version_tag=$VERSION_TAG" >> "$GITHUB_OUTPUT"
+            echo "Release tag detected on this commit: $VERSION_TAG"
+          else
+            echo "is_semver_tag=false" >> "$GITHUB_OUTPUT"
+            echo "version_tag=" >> "$GITHUB_OUTPUT"
+            echo "No SemVer tag on this commit."
+          fi
+
  publish-image:
+    # Only on main, and only if detect-release found a SemVer tag on this commit
    if: needs.detect-release.outputs.is_semver_tag == 'true'
-    needs: [detect-release, tests]
+    needs: [tests, detect-release]
    uses: ./.github/workflows/publish-image.yml
+    with:
+      version_tag: ${{ needs.detect-release.outputs.version_tag }}
+      sha: ${{ github.sha }}
    permissions:
      contents: read
      packages: write

  tag-stable:
+    # Only after tests + publish succeeded
    if: needs.detect-release.outputs.is_semver_tag == 'true'
-    needs: [detect-release, tests, publish-image]
+    needs: [tests, detect-release, publish-image]
    uses: ./.github/workflows/stable-tag.yml
+    with:
+      version_tag: ${{ needs.detect-release.outputs.version_tag }}
+      sha: ${{ github.sha }}
    permissions:
      contents: write
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -1,7 +1,14 @@
 name: publish-image

 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      version_tag:
+        type: string
+        required: true
+      sha:
+        type: string
+        required: true

 jobs:
  build-and-push:
@@ -11,11 +18,11 @@ jobs:
      packages: write

    steps:
-      - name: Checkout
+      - name: Checkout (exact commit)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          ref: ${{ github.ref }}   # bei tag-push ist das der Tag-Ref
+          ref: ${{ inputs.sha }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -36,8 +43,8 @@ jobs:
        run: |
          set -euo pipefail
          IMAGE="ghcr.io/${{ github.repository }}"
-          RAW_TAG="${{ github.ref_name }}"   # e.g. v1.1.7
-          TAG="${RAW_TAG#v}"                 # -> 1.1.7
+          RAW_TAG="${{ inputs.version_tag }}"   # e.g. v1.1.8
+          TAG="${RAW_TAG#v}"                    # -> 1.1.8
          echo "tags=$IMAGE:$TAG,$IMAGE:latest" >> "$GITHUB_OUTPUT"

      - name: Build and push
--- a/.github/workflows/stable-tag.yml
+++ b/.github/workflows/stable-tag.yml
@@ -1,7 +1,14 @@
 name: Stable Tag

 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      version_tag:
+        type: string
+        required: true
+      sha:
+        type: string
+        required: true

 permissions:
  contents: write
@@ -16,16 +23,17 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Move stable tag to this version tag commit
+      - name: Move stable tag to the release commit
+        shell: bash
        run: |
          set -euo pipefail

-          echo "Triggered by tag: ${GITHUB_REF_NAME}"
-          echo "Commit: ${GITHUB_SHA}"
+          echo "Release tag: ${{ inputs.version_tag }}"
+          echo "Commit: ${{ inputs.sha }}"

          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

          git fetch --tags --force
-          git tag -fa stable -m "stable -> ${GITHUB_REF_NAME} (${GITHUB_SHA})" "${GITHUB_SHA}"
+          git tag -fa stable -m "stable -> ${{ inputs.version_tag }} (${{ inputs.sha }})" "${{ inputs.sha }}"
          git push --force origin stable