Skip to content

🐛 Fix goreleaser workflow conditions for tag pushes#6888

Merged
philipbalinov merged 1 commit intomainfrom
fix/goreleaser-workflow-conditions
Mar 13, 2026
Merged

🐛 Fix goreleaser workflow conditions for tag pushes#6888
philipbalinov merged 1 commit intomainfrom
fix/goreleaser-workflow-conditions

Conversation

@philipbalinov
Copy link
Copy Markdown
Contributor

@philipbalinov philipbalinov commented Mar 12, 2026

Summary

  • Fix "Trigger mql bump in cnspec" step to correctly trigger on tag pushes (the inputs context is undefined on push events)
  • Simplify GoReleaser step conditions by consolidating skip-publish logic into the single step output

Test plan

  • Verify workflow triggers correctly on tag push
  • Verify workflow_dispatch still respects input parameters

🤖 Generated with Claude Code

@philipbalinov @claude
🐛 Fix goreleaser workflow conditions for tag pushes
70f9dbf 
The workflow conditions were failing on tag pushes because the `inputs`
context is undefined when not triggered via workflow_dispatch.

Changes:
- Fix "Trigger mql bump in cnspec" to run on tag pushes by checking
  `github.event_name == 'push'` as a fallback
- Simplify GoReleaser step conditions to use only the skip-publish step
  output, consolidating the logic in one place (the skip-publish step
  already checks the input)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mondoo-code-review[bot]
mondoo-code-review Bot reviewed Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix removes inputs.skip-publish checks so tag-push events (where inputs is empty) don't incorrectly skip publishing.

Comment thread .github/workflows/goreleaser.yml

- name: Run GoReleaser and promote latest
if: ${{ inputs.skip-publish != true && steps.skip-publish.outputs.skip-publish != 'true' }}
if: ${{ steps.skip-publish.outputs.skip-publish != 'true' }}
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review Bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — Removing inputs.skip-publish != true means that when the workflow is triggered via workflow_dispatch with skip-publish: true, the "promote latest" step will still run (since steps.skip-publish.outputs.skip-publish may not be 'true'). Verify that the skip-publish step reliably sets its output to 'true' whenever inputs.skip-publish is true, otherwise this change silently breaks the manual skip-publish opt-in.

Comment thread .github/workflows/goreleaser.yml

- name: Run GoReleaser without promoting 'latest'
if: ${{ inputs.skip-publish == true || steps.skip-publish.outputs.skip-publish == 'true' }}
if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }}
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review Bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — Same concern here: the "without promoting latest" step now only checks the step output. If the step output isn't guaranteed to mirror the inputs.skip-publish value, a workflow_dispatch with skip-publish: true could fall through both conditions (or hit neither). Confirm the skip-publish step propagates the input correctly.

Comment thread .github/workflows/goreleaser.yml
# The docker container is a pre-requisite for cnspec release.
- name: Trigger mql bump in cnspec
if: ${{ inputs.skip-publish != true && inputs.skip-cnspec-bump != true && inputs.make-latest != false }}
if: ${{ steps.skip-publish.outputs.skip-publish != 'true' && (github.event_name == 'push' || (inputs.skip-cnspec-bump != true && inputs.make-latest != false)) }}
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review Bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — The new condition github.event_name == 'push' will trigger the cnspec bump on every tag push unconditionally (ignoring skip-cnspec-bump and make-latest). If a tag push should also respect those flags (e.g. for pre-release tags), consider gating it further. Otherwise, add a brief comment explaining why tag pushes always bump cnspec.

@philipbalinov philipbalinov merged commit eff82bc into main Mar 13, 2026
10 checks passed
@philipbalinov philipbalinov deleted the fix/goreleaser-workflow-conditions branch March 13, 2026 07:46
@github-actions github-actions Bot locked and limited conversation to collaborators Mar 13, 2026
@philipbalinov philipbalinov restored the fix/goreleaser-workflow-conditions branch March 27, 2026 09:09
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mondoo-code-review mondoo-code-review[bot] mondoo-code-review[bot] left review comments

@slntopp slntopp slntopp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@philipbalinov @slntopp