From 39d5b7cb78b2563f1586779877bd709045835f0c Mon Sep 17 00:00:00 2001 From: jross Date: Mon, 8 Jun 2026 13:11:25 -0600 Subject: [PATCH 1/3] ci: deploy production inline from release-please (fix missing tag trigger) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit release-please creates the GitHub release + tag using the default GITHUB_TOKEN. GitHub does not emit workflow-triggering events for actions taken with GITHUB_TOKEN (recursive-trigger block), so the `release: published` event never reached CD (Production) and nothing deployed after a release PR merged. Make CD (Production) a reusable workflow (workflow_call) accepting a tag_name input, and have release-please invoke it inline when it reports release_created == true. Running the deploy as a job in the same workflow run sidesteps the GITHUB_TOKEN cascade restriction entirely — no PAT required. - CD_production: add workflow_call trigger; resolve the deploy tag from inputs.tag_name (call) or github.event.release.tag_name (event) via a job-level DEPLOY_TAG env; keep the version-shape guard and the refs/tags checkout. The `release: published` trigger is retained as a fallback for releases published via the UI or a PAT. - release-please: expose release_created/tag_name outputs and add a deploy-production job (uses: ./.github/workflows/CD_production.yml, secrets: inherit) gated on release_created. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/CD_production.yml | 31 +++++++++++++++++++++------- .github/workflows/release-please.yml | 18 +++++++++++++++- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/.github/workflows/CD_production.yml b/.github/workflows/CD_production.yml index d6c1524c..3dc0cb18 100644 --- a/.github/workflows/CD_production.yml +++ b/.github/workflows/CD_production.yml @@ -1,6 +1,19 @@ name: CD (Production) on: + # Reusable entry point: release-please calls this inline after it creates a + # release. Releases that release-please makes with the default GITHUB_TOKEN do + # NOT emit a `release: published` event that triggers other workflows + # (GitHub's recursive-trigger block), so the release-please workflow invokes + # this one directly via workflow_call. + workflow_call: + inputs: + tag_name: + description: Release tag to deploy (e.g. v1.1.0) + required: true + type: string + # Fallback for releases published manually (UI) or via a PAT, which DO emit a + # release event. release: types: [published] @@ -11,19 +24,21 @@ jobs: production-deploy: # Safety rail: only deploy when the release tag is version-shaped # (v*.*.*, v*.*.*-*, v*.*.*[a-z]*). startsWith() is a cheap pre-filter; - # the "Validate release tag" step enforces the strict regex. - if: startsWith(github.event.release.tag_name, 'v') + # the "Validate release tag" step enforces the strict regex. The tag comes + # from the workflow_call input or, for the release event, the payload. + if: ${{ startsWith(inputs.tag_name || github.event.release.tag_name, 'v') }} runs-on: ubuntu-latest environment: production + env: + DEPLOY_TAG: ${{ inputs.tag_name || github.event.release.tag_name }} + steps: - name: Validate release tag matches version pattern - env: - TAG: ${{ github.event.release.tag_name }} run: | - if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.+|[a-z].*)?$ ]]; then - echo "Release tag '$TAG' does not match the v*.*.* pattern. Refusing to deploy." + if [[ ! "$DEPLOY_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.+|[a-z].*)?$ ]]; then + echo "Release tag '$DEPLOY_TAG' does not match the v*.*.* pattern. Refusing to deploy." exit 1 fi @@ -33,7 +48,7 @@ jobs: fetch-depth: 0 # Fully-qualified tag ref avoids ambiguity if a branch is ever # created with the same name as the release tag. - ref: refs/tags/${{ github.event.release.tag_name }} + ref: refs/tags/${{ env.DEPLOY_TAG }} - name: Install uv in container uses: astral-sh/setup-uv@v8.2.0 @@ -82,7 +97,7 @@ jobs: - name: Render App Engine configs env: - APP_VERSION: ${{ github.event.release.tag_name }} + APP_VERSION: ${{ env.DEPLOY_TAG }} ENVIRONMENT: "production" CLOUD_SQL_INSTANCE_NAME: "${{ secrets.CLOUD_SQL_INSTANCE_NAME }}" CLOUD_SQL_DATABASE: "${{ vars.CLOUD_SQL_DATABASE }}" diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index ea86f71d..cbacb247 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -13,9 +13,25 @@ permissions: jobs: release-please: runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} steps: - - uses: googleapis/release-please-action@v5 + - id: release + uses: googleapis/release-please-action@v5 with: config-file: release-please-config.json manifest-file: .release-please-manifest.json target-branch: ${{ github.ref_name }} + + # When release-please actually cuts a release, deploy it. The release is + # created with GITHUB_TOKEN, whose events don't trigger other workflows, so we + # invoke the production deploy inline (same run) instead of relying on the + # `release: published` event reaching CD_production. + deploy-production: + needs: release-please + if: ${{ needs.release-please.outputs.release_created == 'true' }} + uses: ./.github/workflows/CD_production.yml + with: + tag_name: ${{ needs.release-please.outputs.tag_name }} + secrets: inherit From 8c0d002643df157e7df75525ec80e82f0f7e11a9 Mon Sep 17 00:00:00 2001 From: Jake Ross Date: Mon, 8 Jun 2026 13:21:03 -0600 Subject: [PATCH 2/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/CD_production.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/CD_production.yml b/.github/workflows/CD_production.yml index 3dc0cb18..e135876e 100644 --- a/.github/workflows/CD_production.yml +++ b/.github/workflows/CD_production.yml @@ -26,13 +26,13 @@ jobs: # (v*.*.*, v*.*.*-*, v*.*.*[a-z]*). startsWith() is a cheap pre-filter; # the "Validate release tag" step enforces the strict regex. The tag comes # from the workflow_call input or, for the release event, the payload. - if: ${{ startsWith(inputs.tag_name || github.event.release.tag_name, 'v') }} + if: ${{ startsWith((github.event_name == 'workflow_call' && inputs.tag_name) || github.event.release.tag_name, 'v') }} runs-on: ubuntu-latest environment: production env: - DEPLOY_TAG: ${{ inputs.tag_name || github.event.release.tag_name }} + DEPLOY_TAG: ${{ (github.event_name == 'workflow_call' && inputs.tag_name) || github.event.release.tag_name }} steps: - name: Validate release tag matches version pattern From 768807484e873cd7d843d861cc14776a74209c49 Mon Sep 17 00:00:00 2001 From: Jake Ross Date: Mon, 8 Jun 2026 13:47:41 -0600 Subject: [PATCH 3/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/release-please.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index cbacb247..f6cd5bb7 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -31,6 +31,8 @@ jobs: deploy-production: needs: release-please if: ${{ needs.release-please.outputs.release_created == 'true' }} + permissions: + contents: read uses: ./.github/workflows/CD_production.yml with: tag_name: ${{ needs.release-please.outputs.tag_name }}