github release workflow: only run on explicit dispatch

Release automation can be tested on any GitHub fork, using build_tools/release.sh $version $repository_owner $git_remote which should work perfectly except for macOS packages (which fail unless provided GitHub secrets). People might push tags to their forks, both non-release tags (which would trigger an early failure in "is-release-tag") or replicas of our actual release tags (which would create a draft release etc. and only fail when building macOS packages). Run on explicit workflow dispatch to make sure it's not triggered by accident like that. This means that we'll use the .github/workflows/release.yml from the default branch (i.e. master), so try to make sure it matches the version in the release, to prevent accidents. Closes #11816 (cherry picked from commit 01361b9217)
2026-06-03 15:01:16 -03:00 · 2025-09-22 17:09:13 +02:00
parent 7001abca9f
commit 4fe70f6965
2 changed files with 22 additions and 15 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,11 @@
 name: Create a new release

-on:
-  push:
-    tags:
-      - '*.*.*'
+on: workflow_dispatch
+inputs:
+  version:
+    description: 'Version to release (tag name)'
+    required: true
+    type: string

 permissions:
  contents: write
@@ -16,7 +18,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
      - name: Check if the pushed tag looks like a release
        run: |
          set -x
@@ -36,7 +38,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
      - name: Install dependencies
        run: sudo apt install cmake gettext ninja-build python3-pip python3-sphinx
      - name: Create tarball
@@ -87,7 +89,7 @@ jobs:
        with:
          name: source-tarball
          path: |
-            /tmp/fish-built/fish-${{ github.ref_name }}.tar.xz
+            /tmp/fish-built/fish-${{ inputs.version }}.tar.xz
            /tmp/fish-built/release-notes.md
          if-no-files-found: error

@@ -99,7 +101,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
      - name: Install Rust Stable
        uses: ./.github/actions/rust-toolchain@stable
        with:
@@ -125,7 +127,7 @@ jobs:
      - uses: actions/upload-artifact@v4
        with:
          name: Static builds for Linux
-          path: fish-${{ github.ref_name }}-linux-*.tar.xz
+          path: fish-${{ inputs.version }}-linux-*.tar.xz
          if-no-files-found: error

  create-draft-release:
@@ -139,7 +141,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
@@ -150,13 +152,13 @@ jobs:
      - name: Create draft release
        uses: softprops/action-gh-release@v2
        with:
-          tag_name: ${{ github.ref_name }}
-          name: fish ${{ github.ref_name }}
+          tag_name: ${{ inputs.version }}
+          name: fish ${{ inputs.version }}
          body_path: /tmp/artifacts/release-notes.md
          draft: true
          files: |
-            /tmp/artifacts/fish-${{ github.ref_name }}.tar.xz
-            /tmp/artifacts/fish-${{ github.ref_name }}-linux-*.tar.xz
+            /tmp/artifacts/fish-${{ inputs.version }}.tar.xz
+            /tmp/artifacts/fish-${{ inputs.version }}-linux-*.tar.xz

  packages-for-macos:
    needs: [is-release-tag, create-draft-release]
@@ -167,7 +169,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          # Workaround for https://github.com/actions/checkout/issues/882
-          ref: ${{ github.ref }}
+          ref: ${{ inputs.version }}
      - name: Install Rust
        uses: ./.github/actions/rust-toolchain@oldest-supported
        with:
--- a/build_tools/release.sh
+++ b/build_tools/release.sh
@@ -54,6 +54,9 @@ integration_branch=$(
 [ -n "$integration_branch" ] ||
    git merge-base --is-ancestor $remote/master HEAD

+release_flow=.github/workflows/release.yml
+git diff --exit-code -- :/$release_flow $remote/master:$release_flow
+
 sed -n 1p CHANGELOG.rst | grep -q '^fish .*(released .*)$'
 sed -n 2p CHANGELOG.rst | grep -q '^===*$'

@@ -83,6 +86,8 @@ gh() {
    command gh --repo "$repository_owner/fish-shell" "$@"
 }

+gh workflow run release.yml --raw-field "version=$version"
+
 run_id=
 while [ -z "$run_id" ] && sleep 5
 do