From 4bfa7433f42e87a5ae81ca9f61643cfa1d0608a8 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sat, 14 Feb 2026 11:02:58 +0100 Subject: [PATCH] ci: run on all branches but release only from main via git tag detection - Trigger CI on push for all branches and on pull_request - Detect SemVer release tags (vX.Y.Z) via git tag --points-at - Run publish-image and stable-tag only for tagged commits on main - Pass version_tag and sha to reusable workflows - Prevent tag pushes from triggering additional workflows https://chatgpt.com/share/e/699044d3-c1d8-8013-a40d-974d1fc69974 --- .github/workflows/ci.yml | 67 +++++++++++++++++++++-------- .github/workflows/publish-image.yml | 17 +++++--- .github/workflows/stable-tag.yml | 18 +++++--- 3 files changed, 73 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 237c2f3..4d45725 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,46 +2,75 @@ name: ci on: pull_request: {} - push: {} + push: + branches: + - "**" permissions: contents: write packages: write jobs: - detect-release: - runs-on: ubuntu-latest - outputs: - is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }} - steps: - - id: detect - shell: bash - run: | - set -euo pipefail - # Only true for tag refs like v1.2.3 (no suffix) - if [[ "${GITHUB_REF}" == refs/tags/* ]] && [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "is_semver_tag=true" >> "$GITHUB_OUTPUT" - else - echo "is_semver_tag=false" >> "$GITHUB_OUTPUT" - fi - tests: uses: ./.github/workflows/reusable-test.yml with: python-version: "3.12" matomo-token-description: "ci-token" + detect-release: + # Only consider releases on main branch pushes (not PRs, not other branches) + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + outputs: + is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }} + version_tag: ${{ steps.detect.outputs.version_tag }} + steps: + - name: Checkout (full history for tags) + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - id: detect + shell: bash + run: | + set -euo pipefail + git fetch --tags --force + + # Tags that point to the current commit + TAGS="$(git tag --points-at "$GITHUB_SHA" || true)" + + # Pick the first strict SemVer tag: vX.Y.Z + VERSION_TAG="$(echo "$TAGS" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n1 || true)" + + if [ -n "$VERSION_TAG" ]; then + echo "is_semver_tag=true" >> "$GITHUB_OUTPUT" + echo "version_tag=$VERSION_TAG" >> "$GITHUB_OUTPUT" + echo "Release tag detected on this commit: $VERSION_TAG" + else + echo "is_semver_tag=false" >> "$GITHUB_OUTPUT" + echo "version_tag=" >> "$GITHUB_OUTPUT" + echo "No SemVer tag on this commit." + fi + publish-image: + # Only on main, and only if detect-release found a SemVer tag on this commit if: needs.detect-release.outputs.is_semver_tag == 'true' - needs: [detect-release, tests] + needs: [tests, detect-release] uses: ./.github/workflows/publish-image.yml + with: + version_tag: ${{ needs.detect-release.outputs.version_tag }} + sha: ${{ github.sha }} permissions: contents: read packages: write tag-stable: + # Only after tests + publish succeeded if: needs.detect-release.outputs.is_semver_tag == 'true' - needs: [detect-release, tests, publish-image] + needs: [tests, detect-release, publish-image] uses: ./.github/workflows/stable-tag.yml + with: + version_tag: ${{ needs.detect-release.outputs.version_tag }} + sha: ${{ github.sha }} permissions: contents: write diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index a3462f5..616ba58 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -1,7 +1,14 @@ name: publish-image on: - workflow_call: {} + workflow_call: + inputs: + version_tag: + type: string + required: true + sha: + type: string + required: true jobs: build-and-push: @@ -11,11 +18,11 @@ jobs: packages: write steps: - - name: Checkout + - name: Checkout (exact commit) uses: actions/checkout@v4 with: fetch-depth: 0 - ref: ${{ github.ref }} # bei tag-push ist das der Tag-Ref + ref: ${{ inputs.sha }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -36,8 +43,8 @@ jobs: run: | set -euo pipefail IMAGE="ghcr.io/${{ github.repository }}" - RAW_TAG="${{ github.ref_name }}" # e.g. v1.1.7 - TAG="${RAW_TAG#v}" # -> 1.1.7 + RAW_TAG="${{ inputs.version_tag }}" # e.g. v1.1.8 + TAG="${RAW_TAG#v}" # -> 1.1.8 echo "tags=$IMAGE:$TAG,$IMAGE:latest" >> "$GITHUB_OUTPUT" - name: Build and push diff --git a/.github/workflows/stable-tag.yml b/.github/workflows/stable-tag.yml index 16f5746..ee9145f 100644 --- a/.github/workflows/stable-tag.yml +++ b/.github/workflows/stable-tag.yml @@ -1,7 +1,14 @@ name: Stable Tag on: - workflow_call: {} + workflow_call: + inputs: + version_tag: + type: string + required: true + sha: + type: string + required: true permissions: contents: write @@ -16,16 +23,17 @@ jobs: with: fetch-depth: 0 - - name: Move stable tag to this version tag commit + - name: Move stable tag to the release commit + shell: bash run: | set -euo pipefail - echo "Triggered by tag: ${GITHUB_REF_NAME}" - echo "Commit: ${GITHUB_SHA}" + echo "Release tag: ${{ inputs.version_tag }}" + echo "Commit: ${{ inputs.sha }}" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git fetch --tags --force - git tag -fa stable -m "stable -> ${GITHUB_REF_NAME} (${GITHUB_SHA})" "${GITHUB_SHA}" + git tag -fa stable -m "stable -> ${{ inputs.version_tag }} (${{ inputs.sha }})" "${{ inputs.sha }}" git push --force origin stable