diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1fec82..ee24214 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1038,6 +1038,8 @@ jobs: runs-on: ubuntu-latest needs: [tests, checkgovernance] if: ${{ (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.checkgovernance.outputs.can_tag == '1' }} + permissions: + actions: write env: GITHUB_REPOSITORY: ${{ github.repository }} BRANCH: ${{ github.ref_name }} @@ -1047,10 +1049,6 @@ jobs: shell: bash id: dispatch-tag-patch-release run: | - if ! [[ -f .github/workflows/tag-patch-release.yml ]]; then - echo "tag-patch-release.yml not present. Skipping." - exit 0 - fi # https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event RESP_CODE=$(curl -w %{http_code} -s -L -o __response.json \ -X POST \ @@ -1060,6 +1058,10 @@ jobs: https://api.github.com/repos/$GITHUB_REPOSITORY/actions/workflows/tag-patch-release.yml/dispatches \ -d "{\"ref\":\"$BRANCH\",\"inputs\":{\"latest_local_sha\":\"${{ needs.tests.outputs.latest_local_sha }}\"}}" ) + if [[ $RESP_CODE == "404" ]]; then + echo "tag-patch-release.yml not present." + exit 0 + fi if [[ $RESP_CODE != "204" ]]; then echo "Failed to dispatch workflow - HTTP response code was $RESP_CODE" cat __response.json diff --git a/.github/workflows/tag-patch-release.yml b/.github/workflows/tag-patch-release.yml index dc2db2b..0950def 100644 --- a/.github/workflows/tag-patch-release.yml +++ b/.github/workflows/tag-patch-release.yml @@ -24,3 +24,4 @@ jobs: uses: silverstripe/gha-tag-release@v2 with: latest_local_sha: ${{ inputs.latest_local_sha }} + dispatch_gha_autotag: true diff --git a/README.md b/README.md index 2e0d8ab..dfc9b4e 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,9 @@ Note: Unlike other silverstripe/gha-* repositories, this one is a [reusable work Create the following file in your module, and substitute the tagged version for the most recent tag prefixed with a `v` e.g. `@v1` +> [!WARNING] +> Note that the `actions: write` permission won't be used in third-party repositories, but still needs to be defined. This permission is required because in commercially supported repositories and repositories in the "silverstripe" GitHub organisation we dispatch a separate workflow which tags patch releases. + **.github/workflows/ci.yml** ```yml name: CI @@ -29,6 +32,7 @@ jobs: permissions: pull-requests: read contents: read + actions: write uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1 ``` @@ -48,6 +52,7 @@ jobs: permissions: pull-requests: read contents: read + actions: write # Only run the cron on the account hosting this repository, not on the accounts of forks # Change '' to match the name of the account hosting this repository if: (github.event_name == 'schedule' && github.repository_owner == '') || (github.event_name != 'schedule')