Skip to content

[TT-16977] fix: goreleaser skipped on push/tag when dep-guard is skipped #8007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 15, 2026
Merged

[TT-16977] fix: goreleaser skipped on push/tag when dep-guard is skipped #8007

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,11 @@
goreleaser:
needs:
- dep-guard
if: github.event.pull_request.draft == false
if: |
!cancelled() &&
(needs.dep-guard.result == 'success' || needs.dep-guard.result == 'skipped') &&
github.event.pull_request.draft == false

Check failure on line 44 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

logic Issue 

The condition `github.event.pull_request.draft == false` will prevent the job from running on `push` or `tag` events, as `github.event.pull_request` is null for those events. Accessing a property on a null object results in an empty string, and `'' == false` evaluates to `false` in GitHub Actions expressions, causing the entire `if` condition to fail. This undermines the purpose of the fix, which is to allow the workflow to run on events other than pull requests.
Raw output 
The check for a draft pull request should only be performed when the event is a `pull_request`. Modify the condition to apply the draft check conditionally based on the event type.
name: '${{ matrix.golang_cross }}'

Check failure on line 45 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: architecture

logic Issue 

The `if` condition is logically flawed and will not fix the issue for non-pull-request events like pushes or tags. The expression `github.event.pull_request.draft == false` will evaluate to `false` when the event is not a pull request, as `github.event.pull_request` will be `null`. This will cause the entire condition to be false, and the `goreleaser` job will continue to be skipped on release-triggering events, which is the bug this change intends to fix.
Raw output 
The condition should be modified to explicitly handle cases where the event is not a pull request. It should allow the job to run for non-PR events, or for PRs that are not drafts.

Check failure on line 45 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The `if` condition for the `goreleaser` job is insecure and logically flawed. The condition `github.event.pull_request.draft == false` is too broad for a job with `contents: write` permissions, as it could trigger on any non-draft pull request, posing a risk of unintended releases. Additionally, this condition will fail on `push` and `tag` events (where `github.event.pull_request` is null), meaning the intended fix to enable releases on tags will not work as the job will continue to be skipped.
Raw output 
Strengthen the trigger condition to be more specific. A release job should only run on explicit release events, such as creating a tag that matches a version pattern. The condition should also be corrected to work for non-PR events.

Example of a more secure and correct condition:
```yaml
if: |
  !cancelled() &&
  (needs.dep-guard.result == 'success' || needs.dep-guard.result == 'skipped') &&
  (startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'pull_request' && github.event.pull_request.draft == false))
```
This will trigger the job on version tags (e.g., `v1.2.3`) and non-draft pull requests. Ensure the `goreleaser` action itself distinguishes between these events to perform a full release only on tags.
runs-on: ${{ vars.DEFAULT_RUNNER }}
permissions:
id-token: write # AWS OIDC JWT
Expand Down
Loading