Document auto-triggering release on prepare-release PR merge#358
Merged
Conversation
Adds an `on: pull_request: [closed]` trigger and an `if:` gate to the documented release workflow example, so consumers can opt into having the release workflow run automatically when the auto-generated "Prepare release" PR is merged. Manual `workflow_dispatch` is preserved for re-runs and dry-run testing. GUS-W-13871118
This was referenced May 14, 2026
edmorley
reviewed
May 14, 2026
A fork-source `pull_request` event already runs with secrets stripped and a read-only `GITHUB_TOKEN`, so the publishing-side surface of the release workflow is protected by GitHub's platform-level rule. But adding `head.repo.full_name == github.repository` to the `if:` makes that intent explicit, fails fast before any runner is provisioned, and guards against a future GitHub policy change widening the fork exposure. No threat model exists today where a fork PR could trigger a release that publishes; this is belt-and-suspenders.
The fork-source check guards against outside contributors, but doesn't prevent an insider with push access from creating a `prepare-release` branch in the base repo and merging it. Adding `user.login == 'heroku-linguist[bot]'` closes that gap so only the auto-generated PR (created by the GitHub App from _buildpacks-prepare-release.yml) can trigger a release.
runesoerensen
added a commit
to heroku/buildpacks-dotnet
that referenced
this pull request
May 18, 2026
Add two filters to the `if:` gate so only the auto-generated prepare-release PR can trigger a release: * `head.repo.full_name == github.repository` rejects fork-source PRs. Fork PRs already run without secrets, but the explicit check fails fast before a runner is provisioned and documents the intent. * `user.login == 'heroku-linguist[bot]'` rejects branches pushed directly by an insider with push access — the fork check doesn't catch that case. Mirrors the documented example from heroku/languages-github-actions#358.
edmorley
approved these changes
May 18, 2026
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
on: pull_request: [closed]and anif:gate to the documented release workflow example, so consumers can opt into having the release workflow auto-trigger when the auto-generated "Prepare release" PR is merged. Manualworkflow_dispatchis preserved for re-runs and dry-run testing.README-only change; the shared
_buildpacks-release.ymlis unchanged. The gating logic lives in the consumer alongside the trigger, so each consumer's release config remains self-documenting.Also see heroku/buildpacks-dotnet#425
Resolves #96.
GUS-W-13871118