Move haskell-tag to Release Workflow

Workflows that use the default GITHUB_TOKEN cannot trigger other Workflows. This is a security thing (thanks crypto-bros) that prevents us from pushing a tag in an attempt to trigger a Release. Instead, we move that tagging to the Release Workflow itself and allow that to run on pushes to main in addition to pushes of tags. This way, pushes of tags continue to upload as before, but also pushes of changed versions will now create a tag and upload, as desired.
2026-01-11 19:58:28 +01:00 · 2021-05-10 17:10:57 -04:00 · 2021-05-10 17:10:57 -04:00 · f892fa472d
commit f892fa472d
parent 7ec5c15e94
2 changed files with 12 additions and 15 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -30,15 +30,3 @@ jobs:
        stack-yaml: ${{ matrix.stack-yaml }}
        stack-arguments: --flag yesod-auth-oauth2:example
        weeder: false
-
-  tag:
-    runs-on: ubuntu-latest
-
-    if: ${{ github.ref == 'refs/heads/main' }}
-    needs: [test]
-
-    steps:
-      - uses: actions/checkout@v2
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        uses: freckle/haskell-tag-action@v1
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -2,16 +2,25 @@ name: Release to Hackage

 on:
  push:
+    branches: main
    tags:
      - 'v*'

 jobs:
  release:
    runs-on: ubuntu-latest
-    env:
-      HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
    steps:
      - uses: actions/checkout@v2
-      - uses: freckle/stack-upload-action@main
+
+      - id: tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: freckle/haskell-tag-action@v1
+
+      # If we're reacting to a manually pushed tag, or we just created one
+      - if: ${{ startsWith(github.ref, 'refs/tags/') || steps.tag.tag }}
+        env:
+          HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+        uses: freckle/stack-upload-action@main
        with:
          pvp-bounds: both