Skip to content

CI: gate nightly/release publishing on successful builds#8464

Open
atavism wants to merge 2 commits intomainfrom
atavism/ci-publish-updates
Open

CI: gate nightly/release publishing on successful builds#8464
atavism wants to merge 2 commits intomainfrom
atavism/ci-publish-updates

Conversation

@atavism
Copy link
Contributor

@atavism atavism commented Feb 10, 2026

This PR fixes a CI issue where nightly and release workflows could still publish artifacts even when build jobs fail (due to if: always() on publish and app store uploads not being gated on overall success)

@atavism atavism requested a review from Copilot February 10, 2026 17:54
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 10, 2026
View reviewed changes
.github/workflows/nightly.yml
Comment on lines 375 to 407
needs:
[
set-nightly-metadata,
build-macos,
build-windows,
build-linux,
build-android,
build-ios,
publish,
]
if: |
always() &&
!cancelled() &&
github.event.inputs.dry_run != 'true' &&
(
needs.build-macos.result == 'failure' ||
needs.build-windows.result == 'failure' ||
needs.build-linux.result == 'failure' ||
needs.build-android.result == 'failure' ||
needs.build-ios.result == 'failure' ||
needs.publish.result == 'failure'
)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Cleanup Failed GitHub Pre-Release
env:
GH_TOKEN: ${{ github.token }}
VERSION: ${{ needs.set-nightly-metadata.outputs.version }}
run: |
set -euxo pipefail
# Delete if it exists
gh release delete "$VERSION" --cleanup-tag || true

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 4 days ago

In general, the fix is to define an explicit permissions: block in the workflow, specifying the minimal scopes required. You can do this either at the workflow root (so it applies to all jobs) or per job. Since the CodeQL warning is about the workflow not limiting GITHUB_TOKEN, the most straightforward fix is to add a root‑level permissions: block with contents: read as a safe baseline, and then selectively elevate permissions for jobs that must modify releases or other resources.

For this specific file, the cleanup job uses gh release delete, which requires write access to repository contents. At minimum, that job needs contents: write. Other jobs like publish are likely also creating or updating releases or assets, but since their internals are not shown and the CodeQL report is specifically pointing at the workflow lacking any permissions: block, we can provide a minimal, non‑breaking fix by: (1) adding a workflow‑level permissions: contents: read immediately after the name: Nightly line, and (2) adding a job‑level permissions: block to the cleanup job specifying contents: write. This keeps the default for all jobs read‑only while granting write rights only where clearly needed, without altering the jobs’ logic.

Concretely:

  • Edit .github/workflows/nightly.yml.

  • After line 1 (name: Nightly), insert:

    permissions:
  contents: read

  • In the cleanup job definition (around lines 374–399), add:

        permissions:
      contents: write

    just before runs-on: ubuntu-latest. This ensures that only the cleanup job has write permissions needed for gh release delete, while other jobs run with read‑only contents permissions by default.

No additional imports or external dependencies are required; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/nightly.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,4 +1,6 @@
 name: Nightly
+permissions:
+  contents: read
 
 on:
   schedule:
@@ -394,6 +396,8 @@
         needs.build-ios.result     == 'failure'   || needs.build-ios.result     == 'cancelled' ||
         needs.publish.result       == 'failure'   || needs.publish.result       == 'cancelled'
       )
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
EOF
@@ -1,4 +1,6 @@
name: Nightly
permissions:
contents: read

on:
schedule:
@@ -394,6 +396,8 @@
needs.build-ios.result == 'failure' || needs.build-ios.result == 'cancelled' ||
needs.publish.result == 'failure' || needs.publish.result == 'cancelled'
)
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the release and nightly GitHub Actions workflows to prevent publishing and store uploads from running when upstream build jobs fail, addressing cases where if: always() previously allowed artifact publication despite failed builds.

Changes:

  • Gate publish jobs in both release.yml and nightly.yml on upstream job results being success or skipped (and not cancelled).
  • Reorder app store upload jobs in release.yml to depend on a successful publish.
  • Replace an inline “cleanup failed pre-release” step in nightly.yml with a dedicated cleanup job that runs after failures.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/release.yml Prevent publishing/app store uploads unless metadata + relevant builds complete successfully (or are skipped).
.github/workflows/nightly.yml Prevent nightly publish on failed builds and move GitHub release cleanup into a dedicated post-failure job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jay-418
jay-418 reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@jay-418 jay-418 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @atavism, I'm sorry I didn't mention this sooner, but I saw the same problem, and decided that having separate release.yaml and nightly.yaml was making for some duplicated and convoluted logic, and I've rewritten this to just use one release file (and extracted some inline code out into scripts).

I'm happy to do whatever you prefer here:

  • close this and only merge mine, or
  • merge yours first, then'll I'll rebase mine on the changes and deal with the conflict

@atavism
Copy link
Contributor Author

atavism commented Feb 11, 2026

@jay-418 This PR is just gating/ordering fixes (for instance, don’t upload to stores if release artifacts fail), not a workflow redesign. Also, moving cleanup into a separate job that runs on failure/cancel and deletes the draft/tag .. Can you port these changes into #8455?

@jay-418
Copy link
Contributor

jay-418 commented Feb 11, 2026

Can you port these changes into #8455?

@atavism #8455 does already have cleanup on failure that does the same thing.

The only part of this PR not already covered there are the Google Play changes you added.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jay-418 jay-418 jay-418 left review comments

Copilot code review Copilot Copilot left review comments

@myleshorton myleshorton Awaiting requested review from myleshorton

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atavism @jay-418