fix: chain docker publish from release workflow

jpr5 · jpr5 · commit a696866c847a · 2026-04-18T07:37:17.000-07:00
GitHub's anti-recursion rule prevents workflows from triggering other workflows when acting as GITHUB_TOKEN. publish-release.yml pushes the release tag with the default token, so the push:tags:v* trigger on publish-docker.yml never fires. Result: v1.11.0 through v1.14.3 all published to npm but no Docker image reached GHCR, and the v1.14.3 OOM fix never made it to the Railway service pulling ghcr.io/copilotkit/aimock:latest. Fix by explicitly dispatching publish-docker.yml via `gh workflow run --ref <TAG>` after the npm publish step succeeds. This does not depend on tag-trigger behavior and is guarded by the same steps.check.outputs.published == 'false' condition as the publish, so Docker only builds when npm publish actually happened. Also restore the workflow_dispatch trigger on publish-docker.yml (added in 486ccd9, inadvertently removed in 63aab1e); `gh workflow run` requires workflow_dispatch on the ref being invoked. The existing push:tags:v* trigger stays as belt-and-suspenders for anyone pushing tags manually from a local clone with a PAT. Option chosen: explicit chain over PAT or workflow_call. Least invasive (no new secrets, no cross-workflow refactor), most observable (the dispatch shows up as a discrete step in the release run), and the failure mode is clearly visible in the release workflow log.
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - main
+  workflow_dispatch:
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -10,6 +10,7 @@ jobs:
     permissions:
       contents: write
       id-token: write
+      actions: write
     steps:
       - uses: actions/checkout@v4
         with: { fetch-depth: 0 }
@@ -81,6 +82,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Trigger Docker publish workflow
+        # GitHub's anti-recursion rule: tags pushed by GITHUB_TOKEN do NOT
+        # trigger downstream workflows. Explicitly dispatch publish-docker.yml
+        # so the GHCR image actually gets built on every release.
+        if: steps.check.outputs.published == 'false'
+        run: |
+          TAG="v${{ steps.check.outputs.version }}"
+          gh workflow run publish-docker.yml --ref "${TAG}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Notify Slack
         if: steps.check.outputs.published == 'false'
         run: |
