Skip to content

Prevent accidentally pushing tags #1078

New issue
New issue
Open
Open
Prevent accidentally pushing tags#1078
@eseiler

Description

@eseiler
eseiler
opened on Feb 11, 2026

Since the release-please workflow depends on an auto-generated pull request to be merged to build and upload quay.io images, it might be worthwhile to prohibit anyone but the bot to push tag.

Because deploy keys don't work with release-please as of now, creating a GitHub App would apparently be the way to go.
In the below collapsible, the App would then be exempt (instead of deploy keys); and the workflow would generate a token to use.

Alternatively,

  • Use an account and generate a PAT, exempt the user.
  • Wait for release-please to support deploy keys.
  • Wait for GitHub to make the Actions bot act like a user.
  • Hope for metadata rules (!comitter/author email!) to be not enterprise-only at some point.
Edit: This doesn't work because the release-please action would need to support ssh/deploy-keys. This could be done via rules: Settings -> Rules -> Rulesets -> New ruleset -> New tag ruleset
Click to show screenshot of rule settings Image
  • Give it a name
  • Set Enforcement to "Active"
  • Bypass list: Allow for "Deploy keys"
  • Target tags: Add "All tags"
  • Tag Rules:
    • Tick "Restrict creations"
    • Untick all other rules
  • Press "create" at the bottom

Bypass via Deploy Key

The GitHub Actions bot can't be directly added to the bypass list, but we can create a deploy key for the bot.

Deploy key setup

A key should be generated via

ssh-keygen -t ed25519 -C "github-actions@github.com" -N ""

This key should be added:

  • To Deploy Keys (in Settings, make sure to tick "Allow write access")
  • Repository Secrets (Settings -> Secrets and variables -> Actions)

Let's say the secret is called DEPLOY_KEY.

bioconda-utils/.github/workflows/release-please.yml

Lines 27 to 29 in 975acdb

- uses: actions/checkout@v6
with:
fetch-depth: 0

Edit: This is wrong. The release-please action would need the deploy key.
Changing this to

      - uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ssh-key: ${{ secrets.DEPLOY_KEY }}

should then prevent anyone but the GitHub Actions bot from creating tags.

There are other ways to achieve this, for example, by creating a bot user or using an existing account, then creating a token, and using the token to create the tag. Then this user could be directly allowed to bypass the tag rules.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions