ci: skip Auto Release when triggered by release App push#53
Merged
Conversation
App installation tokens (unlike GITHUB_TOKEN) do not suppress workflow cascades, so the tag push from Manual Release's bump-and-tag job now triggers Auto Release in parallel. Manual Release already inlines deploy + release, making the parallel Auto Release run redundant. Guard the validate job on actor; deploy and release inherit the skip via needs cascade. Auto Release still fires for any other tag push (e.g. manual git push --tags from a developer machine). https://claude.ai/code/session_01K8eXF8Fe3gjCR5e2ndU2Wo
aliasunder
added a commit
that referenced
this pull request
May 20, 2026
Every manual release (App-bot tag push) triggered Auto Release, which failed with "Invalid workflow file" — it calls deploy.yml (needs id-token: write + packages: write) but only granted contents: write. GitHub rejects the file at validation time, BEFORE the actor guard (`if: github.actor != 'vault-cortex-release[bot]'`, PR #53) can skip the jobs — so it failed loudly on v0.15.2–v0.15.5 instead of skipping. Added id-token: write + packages: write so the file validates. Now a bot-pushed tag validates, the actor guard skips validate → deploy → release, and the run completes as a clean skip (no red X). A genuine non-bot tag push (local `git push --tags`) now also deploys as intended. Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
if: github.actor != 'vault-cortex-release[bot]'to thevalidatejob inauto_release.yml.deployandreleasejobs depend onvalidatevianeeds:, so they inherit the skip — no need to duplicate the guard.Why
App installation tokens (unlike
GITHUB_TOKEN) do not suppress workflow cascades on push events. After #52, the tag push from Manual Release'sbump-and-tagjob now triggersauto_release.ymlin parallel — observed during the v0.15.2 release (Auto Release fired and was cancelled by thedeploy-prodconcurrency group).Manual Release already inlines deploy + release, so the cascaded Auto Release run is fully redundant. Guarding on actor keeps Auto Release useful for the original intent (a future external
git push --tagsfrom a developer machine) without firing on every bot release.Test plan
Manual Releaserun: confirm only one workflow chain runs end-to-end (no Auto Release sibling).https://claude.ai/code/session_01K8eXF8Fe3gjCR5e2ndU2Wo
Generated by Claude Code