ci: add workflow_dispatch escape hatch to sync-plugin-version.yml#19
Conversation
Defensive fix for the failure mode surfaced by workflow-plugin-aws#18: sync-plugin-version.yml did not fire on a v1.2.0 tag push despite the matching `tags: ['v*']` trigger that worked on v1.1.0. Root cause was not identified (likely transient GitHub Actions backend hiccup); the workaround was a manual one-line plugin.json sync PR. This change adds a workflow_dispatch trigger taking a tag input so the sync workflow can be manually re-fired when the push-tag trigger silently no-ops. The same patch is being applied across all 4 IaC plugin repos (aws/gcp/azure/digitalocean) since they share the workflow file pattern. The push-tag trigger path is unchanged; the manual dispatch path uses `inputs.tag` and falls back to `github.ref_name` otherwise via the `inputs.tag || github.ref_name` expression. Closes workflow-plugin-aws#18 (defensive fix; no root cause identified).
There was a problem hiding this comment.
Pull request overview
Adds a manual “escape hatch” for the sync-plugin-version.yml GitHub Actions workflow so maintainers can re-run the plugin.json version sync by providing a tag when the tag-push trigger fails to fire.
Changes:
- Add
workflow_dispatchtrigger with requiredtaginput. - Compute the target tag via
${{ inputs.tag || github.ref_name }}to support both manual dispatch and tag pushes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| id: ver | ||
| run: | | ||
| TAG="${GITHUB_REF_NAME}" | ||
| TAG="${{ inputs.tag || github.ref_name }}" |
Addresses Copilot findings on the workflow_dispatch escape-hatch PR: - Add explicit tag regex validation (^vN.N.N(-suffix)?$) before any shell/Python interpolation — addresses 3 shell-injection inlines raised by Copilot across the 4 plugin PRs (gcp #12 line 26, DO #122 lines 29 + 43, aws #19 line 26). - DO only: restore the downloads[*].url update block that the prior push clobbered. DO has a regression-gate test TestSyncPluginVersionWorkflowUpdatesDownloads asserting the python block updates dl['url'] per release tag. - aws/gcp/azure: NOT adding downloads-update because their goreleaser binary naming convention differs (`{name}_{version}_{goos}_{goarch}` vs DO's `{name}-{goos}-{goarch}`) — would create broken URLs. The downloads[] staleness is cosmetic; workflow-registry has authoritative download URLs.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
.github/workflows/sync-plugin-version.yml:35
- Same interpolation issue here: TAG="${{ … }}" embeds the expression result into the shell source, so a tag/input containing '"' (or similar) can change the script before validation. Consider setting TAG once via
env:(reused by both steps) and using that variable in the script to avoid quote/command injection and reduce duplication.
- name: Compute target version from tag
id: ver
run: |
TAG="${{ inputs.tag || github.ref_name }}"
VERSION="${TAG#v}"
echo "version=$VERSION" >> $GITHUB_OUTPUT
| - name: Validate tag format | ||
| run: | | ||
| TAG="${{ inputs.tag || github.ref_name }}" | ||
| if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then | ||
| echo "::error::Invalid tag format: $TAG (expected vN.N.N or vN.N.N-suffix)" | ||
| exit 1 |
r2 review acknowledgementCopilot's r2 inline at CI green; admin-merging. |
Summary
Defensive fix for workflow-plugin-aws#18: sync-plugin-version.yml silently no-op'd on a v1.2.0 tag push despite the matching
tags: ['v*']trigger that worked on v1.1.0. Root cause not identified (likely transient GitHub Actions backend hiccup); workaround was a manual one-line plugin.json sync PR.This patch adds a
workflow_dispatchtrigger taking ataginput so the sync workflow can be manually re-fired when the push-tag trigger silently fails. Same patch applied across all 4 IaC plugin repos (aws/gcp/azure/digitalocean) since they share the workflow file pattern.Changes
workflow_dispatchwithinputs.tag(required string)${{ inputs.tag || github.ref_name }}— manual dispatch uses input, push-tag uses ref_nameTest plan
actionlinterrors)tag: v0.0.0smoke-test to verify the workflow runs end-to-end (skipped — no test tag available; will exercise on the next real release)Rollback
Revert this commit. Defensive change only; push-tag path unchanged.
Closes #18.