Fix the sass_api release #2557
Fix the sass_api release #2557
Conversation
| # This should be /-separated rather than hyphenated, but pub.dev doesn't | ||
| # currently allow that (dart-lang/pub-dev#8690). | ||
| - run: git tag sass-api-${{ steps.sass-api-version.outputs.version }} | ||
| - run: git push --tag |
There was a problem hiding this comment.
If you want to push with the implicit ${{ github.token }} that comes from github actions, you need to add permissions to the job definition:
permissions:
content: write
There was a problem hiding this comment.
Also, another problem I remember is that pushing with implicit token won't trigger another workflow. So you probably should use ${{ secrets.GH_TOKEN }} in checkout action, that it will trigger the workflow for new tag push.
There was a problem hiding this comment.
If you want to push with the implicit
${{ github.token }}that comes from github actions, you need to add permissions to the job definition:permissions: content: write
Isn't that inherited from the invocation in ci.yml? deploy_sass_parser is pushing a tag without explicit local permissions below.
There was a problem hiding this comment.
Also, another problem I remember is that pushing with implicit token won't trigger another workflow. So you probably should use
${{ secrets.GH_TOKEN }}incheckoutaction, that it will trigger the workflow for new tag push.
Done.
There was a problem hiding this comment.
Isn't that inherited
Permission inheritance in reusable workflow is a bit complicated. The permission declared in parent workflow defines the maximum permission child workflows can ask for, but if a child workflow did not explicitly ask for the permission, it won't get inherited from parent automatically.
https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions
Anyways, better to use a PAT so that it guarantee the push event triggers a new workflow.
There was a problem hiding this comment.
Well, it's now using the same setup as deploy_sass_parser including the token it uses for checkout so it should work.
|
|
||
| jobs: | ||
| deploy_sass_api: | ||
| if: "github.event.repository.fork == false" |
There was a problem hiding this comment.
Are these quotes necessary? IIRC quotes are only needed when the text contains a *
same below
There was a problem hiding this comment.
There are a number of active YAML characters. You're right that this doesn't need them, but I prefer to use them for anything with ${{ }} interpolation just to avoid needing readers to remember when { is or isn't an active YAML character.
| echo "version=$(cat pkg/sass_api/pubspec.yaml | sed -nE 's/version: (.*)/\1/p')" | tee --append "$GITHUB_OUTPUT" | ||
| # This should be /-separated rather than hyphenated, but pub.dev doesn't | ||
| # currently allow that (dart-lang/pub-dev#8690). | ||
| - run: git tag sass-api-${{ steps.sass-api-version.outputs.version }} |
There was a problem hiding this comment.
Not entirely sure, but another way this might be broken is that git might complain that "user" is not setup. Maybe we need to add these before creating the tag:
git config user.email
git config user.name
There was a problem hiding this comment.
I believe lightweight tags don't include any author information. (Note that the git user isn't set when tagging sass-parser below.)
Pub.dev just launched an update that requires GitHub publish actions to be run from a tag that matches the version number of the published package.
Pub.dev just launched an update that requires GitHub publish actions
to be run from a tag that matches the version number of the published
package.