Github workflows not triggered by automatically created PRs [duplicate] - github-actions

This question already has an answer here:
GitHub Actions auto-approve not working on pull request created by GitHub Actions bot
(1 answer)
Closed 7 months ago.
I implemented a workflow that runs once a week and updates all the project dependencies and opens a PR with its changes using the workflow token.
name: Automatic dependency update
"on":
workflow_dispatch: null
schedule:
- cron: 0 0 * * 1
jobs:
update:
name: Update to latest versions
runs-on:
- self-hosted
- default-runner
steps:
- name: Checkout Project
uses: actions/checkout#v2
- name: Install Java
uses: actions/setup-java#v2
- name: Update Versions
run: |
./gradlew useLatestVersions --info
- name: Commit and open PR
uses: peter-evans/create-pull-request#v3
with:
commit-message: Update to latest versions
committer: Update Bot <workflow#xxx.com>
branch: auto-dependency-update
base: dev
delete-branch: true
title: Automatic dependency update
draft: false
team-reviewers: XX/teamname
body: Automated gradle dependency updates
The issue is, that for this PR the normal workflows (that are mandatory for the PR merge are not triggered.
name: Build pipeline
"on":
workflow_dispatch: null
pull_request:
branches:
- dev
push:
branches:
- '!master'
- '**'
defaults:
run:
shell: bash
jobs:
build:
name: Compile
runs-on:
- self-hosted
- default-runner
steps:
- name: Checkout code
uses: actions/checkout#v2
- uses: actions/setup-java#v2
- name: Compile code
run: |
./gradlew classes testClasses --info
# ...
When I manually push something to that branch, the workflows are triggered. Though when I add the following step to the version update workflow, then the workflows aren't triggered either.
So what can I do? I dont want to trigger the workflows explicityl (e.g. using benc-uk/workflow-dispatch#v1) to keep the update mechanism as generic as possible.

According to the official documentation
When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run.
This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
For more information, see "Authenticating with the GITHUB_TOKEN."
The action you're using to open the PR also states in the Inputs section that you can change the GITHUB_TOKEN scope as well, or use a PAT:
GITHUB_TOKEN (permissions contents: write and pull-requests: write) or a repo scoped Personal Access Token (PAT).
Solution
Therefore, you just need to add a token input to the peter-evans/create-pull-request action using a secret allowing you to trigger a workflow from another workflow.

Related

When I run a GitHub Action for a feature branch, it reads all files from master instead of reading them from the feature branch

I have a GitHub Action which is set to run at will when triggered manually (with the workflow_dispatch keyword under the on secton). Apparently when I run the Action from a feature branch, it only loads the Action YML from the feature branch and loads everything else from master.
One of the Action's steps calls a PowerShell script. When run for a feature branch, it executes the script that is in master, no the script in my feature branch. If it references a script that only exists in my feature branch and not in master, then it fails and says the script does not exist.
That makes it very hard to experiment with the Action, since apparently all its dependencies need to be merged to master before I can test them.
This is how I trigger my Action:
Go to GitHub -> Actions -> Workflows sidebar and select my workflow.
Next to where it says "This workflow has a workflow_dispatch event trigger", click Run workflow.
Under Use workflow from, select my feature branch.
Click Run workflow.
Am I doing something completely wrong here?
Here is my Action YML:
name: Deploy to persistent environment
on:
workflow_dispatch:
inputs:
deployment_target:
type: choice
description: Choose an environment to deploy to
options:
- dev
- staging
- production
jobs:
deploy-kms-to-persistent-environment:
name: Deploy KMS to ${{ github.event.inputs.deployment_target}}
runs-on: [self-hosted, 3shape-ubuntu-latest]
steps:
- name: Deploy application
working-directory: ./src/deploy/kms-bicep
shell: pwsh
run: |
./deploy-release-application2.ps1
It turns out I need a checkout step in my Action: - uses: actions/checkout#v3
name: Deploy to persistent environment
on:
workflow_dispatch:
inputs:
deployment_target:
type: choice
description: Choose an environment to deploy to
options:
- dev
- staging
- production
jobs:
deploy-kms-to-persistent-environment:
name: Deploy KMS to ${{ github.event.inputs.deployment_target}}
runs-on: [self-hosted, 3shape-ubuntu-latest]
steps:
- uses: actions/checkout#v3
- name: Deploy application
working-directory: ./src/deploy/kms-bicep
shell: pwsh
run: |
./deploy-release-application2.ps1

Github action increment version on push to main

I would like to use a pure solution in a GitHub action to increment a version of the package. I don't want to use any existing actions from the GitHub marketplace such as "gh-action-bump-version
". I have this workflow, which will increase the version and create a tag.
name: Version Increment
on:
push:
branches:
- main
tags-ignore:
- v*
jobs:
version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
with:
token: ${{ secrets.ACCESS_TOKEN }}
- run: git config user.email "$GITHUB_ACTOR#users.noreply.github.com"
- run: git config user.name "$GITHUB_ACTOR"
- run: npm version minor -m "v%s"
- run: VERSION=$(node -p "require('./package.json').version")
- run: git tag ${VERSION}
- run: git push origin --tags
- run: git push origin --follow-tags
It works, but it also cause a circular runs of the actions because of the last row. I know that I can use a custom message like "[RELEASE]" and put there a "if" condition and skip these commits. But my question is, is there any better solution to skip these commits from this action and do not use the "if" condition? Because the "tags-ignore" obviously doesn't work.
So I found several solutions. The first is that you can put "[skip actions]" to your commit message and that commit will skip any github action that should run within the commit. The second one is to use an address of the repository with access token.
This works pretty well for me:
name: Version Increment
on:
push:
branches:
- main
jobs:
version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- run: git config user.email "$GITHUB_ACTOR#users.noreply.github.com"
- run: git config user.name "$GITHUB_ACTOR"
- run: npm version minor -m "v%s"
- run: VERSION=$(node -p "require('./package.json').version")
- run: git tag ${VERSION}
- run: git push "https://$GITHUB_ACTOR:${{ secrets.ACCESS_TOKEN }}#github.com/$GITHUB_REPOSITORY.git" --follow-tags
- run: git push "https://$GITHUB_ACTOR:${{ secrets.ACCESS_TOKEN }}#github.com/$GITHUB_REPOSITORY.git" --tags
Try using the built in GITHUB_TOKEN instead of your custom ACCESS_TOKEN. That should prevent the workflow from triggering another workflow.
From the docs (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow):
When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

Github action to lint after commit in previous step

I'm setting up Github action to lint the OpenAPI Spec using Spectral. Before linting, I would like to generate the single file spec and commit it.
I have set up a workflow that will first build and then lint. But the problem is, the lint is not considering the commit made by Github action in the previous step. It always lint for the commit that triggered this action. Is there any way to lint with the commit made as part of Github action?
You can see from the above image that Github workflow didn't run for the commit made by Github action.
Workflow file:
name: Run Spectral
on:
- pull_request
jobs:
build:
name: Build Spec
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout#v2
- name: Set up Node.js
uses: actions/setup-node#v1
with:
node-version: 12.x
- name: Install dependencies
run: npm install
- name: Build spec file
run: npm run build
- name: Commit build changes
uses: EndBug/add-and-commit#v7
with:
default_author: github_actions
message: 'Compiled spec file'
add: '_build/oas.yaml'
lint:
name: Lint
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout Repository
uses: actions/checkout#v2
- name: Spectral Linting
uses: stoplightio/spectral-action#v0.7.3
with:
file_glob: '_build/oas.yaml'
That's because commits made using the standard GITHUB_TOKEN aren't triggering workflows; you have to use a personal access token for an automated workflow that's supposed to kick off another workflow.
Quoting from the docs (linked above):
When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. [...]
If you would like to trigger a workflow from a workflow run, you can trigger the event using a personal access token. [...]

In a github actions workflow, is there a way to have multiple jobs reuse the same setup?

I recently hooked up my project with github actions for continuous integration. I created two separate jobs: the first one checks if the code in the pull request is accepted by our linter, and the second one checks if the code passes the test suite. I like that having two jobs like this shows up as two separate checkmarks in the Github webpage for the pull request:
The problem I'm having now is that there is some duplicated code in workflow YAML file: the first 3 steps, which install Lua and Luarocks. Not only is it annoying to maintain, but it also wastes CI minutes by running the same actions twice. Is there a way to avoid this? So that the setup code is only written in one place, and only runs once when the workflow executes?
But I am confused what would be the proper way to proceed:
Should I create my own Github Action with the shared setup code?
Should I create a Docker image that already has Lua and Luarocks pre-installed?
Should I use a single job? Can I still have independent checkmarks for the linter and the test suite if they are steps of the same job?
Something else?
Here is the current YAML file for my workflow:
name: Github Actions CI
on: [ pull_request ]
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- uses: leafo/gh-actions-lua#v8.0.0
- uses: leafo/gh-actions-luarocks#v4.0.0
- run: luarocks install luacheck
- run: ./run-linter.sh
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- uses: leafo/gh-actions-lua#v8.0.0
- uses: leafo/gh-actions-luarocks#v4.0.0
- run: luarocks install busted
- run: ./build-project.sh
- run: ./run-test-suite.sh
I tried searching for similar questions but couldn't find anything that exactly answered my question:
Caching APT packages in GitHub Actions workflow: I can't use this solution because I don't have a way to precisely specify all the versions of all the dependencies that I am using, so that they may be cached. I also don't mind if separate runs of the workflow are not cached. I'm more worried about the code duplication.
Github actions share workspace/artifacts between jobs? I don't want to have to manage uploading uploading artifacts to a separate service and then deleting them afterwards.
Reuse portion of github action across jobs: In that question the only difference between the jobs is a single variable, so accepted answer is to use a build matrix. But I don't think a build matrix would work as well in my case, where only the setup code is the same?
As of today (August 2021) composite action is no longer limited to run. GitHub Actions: Reduce duplication with action composition
name: "Publish to Docker"
description: "Pushes built artifacts to Docker"
inputs:
registry_username:
description: “Username for image registry”
required: true
registry_password:
description: “Password for image registry”
required: true
runs:
using: "composite"
steps:
- uses: docker/setup-buildx-action#v1
- uses: docker/login-action#v1
with:
username: ${{inputs.registry_username}}
password: ${{inputs.registry_password}}
- uses: docker/build-push-action#v2
with:
context: .
push: true
tags: user/app:latest
Old Answer
What you are looking for is composite action which help you reuse once defined set of steps.
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: octocat/say-hello#v1
- run: luarocks install luacheck
- run: ./run-linter.sh
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: octocat/say-hello#v1
- run: luarocks install busted
- run: ./build-project.sh
- run: ./run-test-suite.sh
octocat/say-hello/action.yml:
runs:
using: "composite"
steps:
- run: echo "Nice to meet you!"
shell: pwsh
For more details you can also check's ADR here.
And why you can't simply run it once for all jobs, because each job may run on a different machine.
A job is a set of steps that execute on the same runner. By default, a workflow with multiple jobs will run those jobs in parallel. You can also configure a workflow to run jobs sequentially. For example, a workflow can have two sequential jobs that build and test code, where the test job is dependent on the status of the build job. If the build job fails, the test job will not run.
There are 3 main approaches for code reusing in GitHub Actions:
Reusable Workflows
Dispatched workflows
Composite Actions
There is an article describing their pros and cons.
In your case if the duplicated steps are in the single workflow you also can:
extract them to the "preparation" job
upload build artifacts
add "preparation" job to "needs" key of both jobs
download build artifact in both jobs
The below code snippet should do the work for you. Instead of creating two jobs, one for lint and another for test, you can use one job and create multiple tasks
name: Github Actions CI
on: [ pull_request ]
jobs:
lint:
name: Lint and Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- uses: leafo/gh-actions-lua#v8.0.0
- uses: leafo/gh-actions-luarocks#v4.0.0
- name: Install Luacheck
run: luarocks install luacheck
- name: Run Lint Check
- run: ./run-linter.sh
- name: Install Busted
run: luarocks install busted
- name: Build Project
run: ./build-project.sh
- name: Run Test Suite
- run: ./run-test-suite.sh

Triggering a new workflow from another workflow?

Can I trigger a new workflow from another workflow?
I'm trying to run a workflow after the first workflow has pushed a new release and it seems to ignore it.
Found the answer here:
An action in a workflow run can't trigger a new workflow run. For example, if an action pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
EDIT:
The quote above might be confusing. When I add a Personal Access Token (PAT) to the checkout action with repo permissions granted (and not repository's GITHUB_TOKEN), the following commands DO trigger other workflows:
- name: Checkout Repo
uses: actions/checkout#v2
with:
token: ${{ secrets.PAT_TOKEN }}
(In my case, running semnatic-release after this checkout, which creates a new release with a new tag - did trigger another workflow that runs only if a tag was created)
As described here, you can trigger another workflow using the workflow_run event.
For example we could think of two workflow definitions like this (the only prerequisite is, that both reside in the same repository - but I'am sure, there's also an event for other repos as well):
release.yml
name: CI release
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Release artifact
run: ...
do-something-different.yml
name: Do anything after the release of the first workflow
on:
workflow_run:
workflows: ["CI release"]
types:
- completed
jobs:
notify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Do something
run: ...
A crucial point here is that the name: CI release definition of the first yaml file must exactly match the workflow_run: workflows: ["CI release"] definition in the second yaml file. Another point is that this approach needs to be done on the default branch (which is mostly main or master) as the docs state:
Note: This event will only trigger a workflow run if the workflow file
is on the default branch.
If you don't want to use a general Personal Access Token (which has access to all of your repos), you can generate a dedicated SSH keypair for this purpose and add it to the repository as a Deploy Key. This is done as follows:
Generate an SSH keypair:
ssh-keygen -N "" -f deploy_key -C "github-actions"
Add the private key (generated file deploy_key) as an encryped secret, e.g. COMMIT_KEY to the GitHub project.
Add the public key (generated file deploy_key.pub) as a deploy key with write access to the GitHub project. Tick the Allow write access checkbox.
When checking out the source code in your workflow, add the SSH key:
- name: Checkout
uses: actions/checkout#v3
with:
ssh-key: "${{secrets.COMMIT_KEY}}"
Subsequent push actions in the same workflow will then trigger any configured GitHub workflow as if they were pushed manually.