diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index da5e7dd..a6e5b9a 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -11,11 +11,14 @@ on: jobs: build: runs-on: ubuntu-latest - # Only run for non-draft versions + # When invoked via `workflow_call`, `github.event_name` reflects the + # ROOT triggering event of the caller (e.g. `pull_request`), NOT + # `workflow_call` — so a `== 'workflow_call'` check never matches. + # Trust the caller's own gating in that case; only re-check + # draft/tag-prefix when fired directly by a `release` event. if: | - github.event_name == 'workflow_call' || - (github.event_name == 'release' && - github.event.release.draft == false && + github.event_name != 'release' || + (github.event.release.draft == false && startsWith(github.event.release.tag_name, 'v')) steps: - name: Checkout diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index e1c51df..c1f624f 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -67,10 +67,18 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Use the app token (not the default GITHUB_TOKEN) so the resulting + # `release: [published]` event can trigger downstream workflows + # (e.g. npm-publish.yml directly). Events fired by GITHUB_TOKEN + # do not trigger other workflows — see + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow + # The publish chain here already routes around this via workflow_call, + # but using the app token keeps the release path symmetric and lets a + # human re-cut a release without breaking the npm publish. - name: Create a GitHub Release uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} with: tag_name: v${{ steps.bump-version.outputs.new_version }} release_name: v${{ steps.bump-version.outputs.new_version }}