fix(GHA): use inputs.ref for publish eligibility in cli.yml#2297
Merged
jakobmoellerdev merged 2 commits intoApr 15, 2026
Merged
Conversation
When cli-release.yml calls cli.yml via workflow_call, GITHUB_REF_NAME inherits the caller's ref (releases/v0.4) instead of the RC tag (cli/v0.4.0-rc.1). The branch-check only allowed publishing for main or cli/v* refs, so releases dispatched from release branches skipped the Publish and Attest job entirely. Use inputs.ref (the RC tag passed by cli-release.yml) when available, falling back to GITHUB_REF_NAME for direct push/tag triggers. Also update RELEASE_PROCESS.md to replace the removed "Branch to release from" input reference with "Use workflow from" branch selector. Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
✅ Deploy Preview for ocm-website canceled.
|
Add comments explaining the dispatch model and github.ref_name behavior across the cli-release.yml → cli.yml workflow_call boundary. Key documentation: - cli-release.yml: operator must select releases/v* in "Use workflow from" - cli-release.yml build job: inputs.ref carries the RC tag, not the branch - cli.yml top: dual-role (CI + reusable) and ref inheritance caveat - cli.yml branch-check: publish eligibility table for all trigger scenarios Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
jakobmoellerdev
approved these changes
Apr 15, 2026
1 task
matthiasbruns
approved these changes
Apr 15, 2026
Skarlso
approved these changes
Apr 15, 2026
morri-son
added a commit
that referenced
this pull request
Apr 15, 2026
## Summary Cherry-pick of #2297 to `releases/v0.4`. - Fix publish eligibility check in `cli.yml` to use `inputs.ref` (RC tag) instead of `GITHUB_REF_NAME` (branch) for `workflow_call` triggers - Add documentation for `workflow_call` ref inheritance behavior across release workflows --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>
ocmbot2 Bot
pushed a commit
to morri-son/open-component-model
that referenced
this pull request
Apr 15, 2026
…ponent-model#2297) ## Summary - **Fix publish gating in `cli.yml`**: When called via `workflow_call` from `cli-release.yml`, `GITHUB_REF_NAME` inherits the caller's ref (`releases/v0.4`) instead of the RC tag (`cli/v0.4.0-rc.1`). The `should_push_oci_image` check only matched `main` or `cli/v*`, so the Publish and Attest job was skipped for releases dispatched from release branches. Now uses `inputs.ref` when available. - **Update `RELEASE_PROCESS.md`**: Replace stale "Branch to release from" input reference with the "Use workflow from" branch selector, matching the workflow change in open-component-model#2131. ## Root Cause After open-component-model#2131 removed the explicit `branch` text input from `cli-release.yml`, the operator must select the `releases/v*` branch in the GitHub UI "Use workflow from" dropdown. This sets `GITHUB_REF_NAME = "releases/v0.4"` for the entire call chain. `cli.yml`'s branch-check (`should_push_oci_image`) tests `GITHUB_REF_NAME` against: 1. Default branch (`main`) — no match 2. `cli/v*` tag pattern — no match Result: Publish and Attest skipped → Conformance skipped. The v0.3 release worked because the old workflow was dispatched from `main` (the text input carried the branch separately), so `GITHUB_REF_NAME = "main"` matched condition 1. ## Fix Use `inputs.ref` (the RC tag, e.g. `cli/v0.4.0-rc.1`) when present, fall back to `GITHUB_REF_NAME` for direct triggers. The RC tag matches the `cli/v*` pattern, enabling publish. | Trigger | `inputs.ref` | Effective ref | Publishes | |---------|-------------|---------------|-----------| | `workflow_call` from `cli-release.yml` | `cli/v0.4.0-rc.1` | `cli/v0.4.0-rc.1` | Yes | | Push to `main` | empty | `main` | Yes | | Push tag `cli/v0.4.0` | empty | `cli/v0.4.0` | Yes | | Push to `releases/v0.4` | empty | `releases/v0.4` | No (build-only) | | Pull request | n/a | step skipped | No | ## Test plan - [ ] Verify the v0.4 release workflow can be re-run successfully from `releases/v0.4` after this change is cherry-picked - [ ] Dry-run a CLI release from a release branch to confirm Publish and Attest job is no longer skipped --------- Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> Co-authored-by: Gerald Morrison (SAP) <gerald.morrison@sap.com> aa48cc6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cli.yml: When called viaworkflow_callfromcli-release.yml,GITHUB_REF_NAMEinherits the caller's ref (releases/v0.4) instead of the RC tag (cli/v0.4.0-rc.1). Theshould_push_oci_imagecheck only matchedmainorcli/v*, so the Publish and Attest job was skipped for releases dispatched from release branches. Now usesinputs.refwhen available.RELEASE_PROCESS.md: Replace stale "Branch to release from" input reference with the "Use workflow from" branch selector, matching the workflow change in chore: streamline release workflows and CLI build versioning #2131.Root Cause
After #2131 removed the explicit
branchtext input fromcli-release.yml, the operator must select thereleases/v*branch in the GitHub UI "Use workflow from" dropdown. This setsGITHUB_REF_NAME = "releases/v0.4"for the entire call chain.cli.yml's branch-check (should_push_oci_image) testsGITHUB_REF_NAMEagainst:main) — no matchcli/v*tag pattern — no matchResult: Publish and Attest skipped → Conformance skipped.
The v0.3 release worked because the old workflow was dispatched from
main(the text input carried the branch separately), soGITHUB_REF_NAME = "main"matched condition 1.Fix
Use
inputs.ref(the RC tag, e.g.cli/v0.4.0-rc.1) when present, fall back toGITHUB_REF_NAMEfor direct triggers. The RC tag matches thecli/v*pattern, enabling publish.inputs.refworkflow_callfromcli-release.ymlcli/v0.4.0-rc.1cli/v0.4.0-rc.1mainmaincli/v0.4.0cli/v0.4.0releases/v0.4releases/v0.4Test plan
releases/v0.4after this change is cherry-picked