Skip to content

ci: fix nexus upload pipeline and release auto-trigger #2252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alandtse merged 4 commits into from
May 1, 2026
Merged

ci: fix nexus upload pipeline and release auto-trigger #2252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
26f3b70
fix(ci): fix nexus upload bash quoting and skip vs2022 for releases
alandtse May 1, 2026
78fbcc4
fix(ci): use matrix exclude instead of job if for vs2022 filtering
alandtse May 1, 2026
59d2c53
ci(nexus): use last stable tag as base, not last RC
alandtse May 1, 2026
fcea21a
ci(nexus): trigger on release publish; guard against draft uploads
alandtse May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 5 additions & 11 deletions .github/workflows/nexus-upload-on-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,18 @@
name: Nexus Upload (Post Release)

on:
workflow_run:
workflows: ["Build Community Shaders and addons"]
types: [completed]
branches:
- "v[0-9]*.[0-9]*.[0-9]*"
release:
types: [published]

jobs:
nexus-upload:
name: Nexus Upload (dry run)
# workflow_run always runs in the base repo context, so secrets are available
# regardless of whether the triggering PR/push came from a fork.
# head_branch for a tag-triggered workflow_run is the tag name (e.g. v1.2.3).
# Fires when a draft release is published. Only stable tags (no '-') are uploaded.
if: >
github.event.workflow_run.conclusion == 'success' &&
!contains(github.event.workflow_run.head_branch, '-')
!contains(github.event.release.tag_name, '-')
uses: ./.github/workflows/upload-nexus.yaml
with:
tag: ${{ github.event.workflow_run.head_branch }}
tag: ${{ github.event.release.tag_name }}
artifact_pattern: "CommunityShaders-*.7z"
dry_run: "true"
Comment on lines 13 to 17
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This published-release workflow still never performs the upload.

Because .github/workflows/upload-nexus.yaml gates upload-to-nexus on dry_run != 'true' at Lines 245-247, this caller can only do the preview path. If the intent is to upload automatically after publish, this input needs to be false.

Suggested fix 
         with:
             tag: ${{ github.event.release.tag_name }}
             artifact_pattern: "CommunityShaders-*.7z"
-            dry_run: "true"
+            dry_run: "false"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: ./.github/workflows/upload-nexus.yaml
with:
tag: ${{ github.event.workflow_run.head_branch }}
tag: ${{ github.event.release.tag_name }}
artifact_pattern: "CommunityShaders-*.7z"
dry_run: "true"
uses: ./.github/workflows/upload-nexus.yaml
with:
tag: ${{ github.event.release.tag_name }}
artifact_pattern: "CommunityShaders-*.7z"
dry_run: "false"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/nexus-upload-on-release.yaml around lines 13 - 17, The
workflow caller sets the reusable workflow input dry_run to "true", which
prevents the upload step gated by the upload-to-nexus condition from ever
running; change the dry_run input passed to the reusable workflow (in
.github/workflows/nexus-upload-on-release.yaml where it calls
./.github/workflows/upload-nexus.yaml) from "true" to "false" (or wire it to a
release/input variable that evaluates to false) so the upload-to-nexus gate in
upload-nexus.yaml will allow the actual upload to run.

secrets:
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/upload-nexus.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,18 @@ jobs:
echo "ERROR: '$TAG' is a pre-release tag. Only stable releases are uploaded to Nexus." >&2
exit 1
fi
DRAFT=$(gh api "repos/$GITHUB_REPOSITORY/releases" \
--jq ".[] | select(.tag_name == \"$TAG\") | .draft" 2>/dev/null | head -1)
if [ "$DRAFT" != "false" ]; then
echo "ERROR: Release '$TAG' is not published. Publish the GitHub release before uploading to Nexus." >&2
exit 1
fi
Comment on lines +101 to +106
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/upload-nexus.yaml | sed -n '95,110p'

Repository: community-shaders/skyrim-community-shaders

Length of output: 1010

🏁 Script executed:

cat -n .github/workflows/upload-nexus.yaml | sed -n '1,50p'

Repository: community-shaders/skyrim-community-shaders

Length of output: 2181

🏁 Script executed:

wc -l .github/workflows/upload-nexus.yaml

Repository: community-shaders/skyrim-community-shaders

Length of output: 126

🏁 Script executed:

# Check GitHub CLI documentation for releases endpoint behavior
gh api --help 2>&1 | head -50

Repository: community-shaders/skyrim-community-shaders

Length of output: 2767

🏁 Script executed:

# Test what happens when gh api returns empty result
TEST_EMPTY=$(echo "" | head -1)
if [ "$TEST_EMPTY" != "false" ]; then
  echo "Empty string test: condition is TRUE (empty != false)"
else
  echo "Empty string test: condition is FALSE"
fi

# Test what the condition does with actual empty output
TEST_EMPTY2=$( { echo ""; } | head -1)
if [ "$TEST_EMPTY2" != "false" ]; then
  echo "Empty output test: condition is TRUE"
else
  echo "Empty output test: condition is FALSE"
fi

Repository: community-shaders/skyrim-community-shaders

Length of output: 177

🌐 Web query:

GitHub API GET /repos/{owner}/{repo}/releases pagination default per_page

💡 Result:

The default per_page for the GitHub REST API GET /repos/{owner}/{repo}/releases endpoint is 30. This is explicitly stated in the official GitHub documentation for the releases endpoint. The maximum per_page is 100. Pagination also supports a page parameter with default 1.

Citations:

🌐 Web query:

GitHub API GET /repos/{owner}/{repo}/releases/tags/{tag} endpoint

💡 Result:

The GitHub REST API endpoint GET /repos/{owner}/{repo}/releases/tags/{tag} retrieves a published release associated with the specified tag name. Path parameters: - owner (string, required): The account owner of the repository. The name is not case sensitive. - repo (string, required): The name of the repository without the .git extension. The name is not case sensitive. - tag (string, required): The tag name. HTTP method: GET Base URL: https://api.github.com Example: curl -L -X GET https://api.github.com/repos/OWNER/REPO/releases/tags/TAG Response: On success (200), returns the full release object (same schema as the "Create a release" endpoint), including fields like id, tag_name, name, body, author, assets, etc. This endpoint gets releases only; it does not return regular Git tags without an associated release. Use the Repository Tags API for plain tags. No authentication is strictly required for public repositories, but recommended for rate limits. Uses standard GitHub API headers like Accept: application/vnd.github+json.

Citations:

Use the tag-specific release endpoint to avoid pagination issues.

The list endpoint defaults to 30 items per page. When manually dispatched against older published tags (beyond the first page), the client-side filter fails to find the release, DRAFT becomes empty, and the condition [ "$DRAFT" != "false" ] incorrectly evaluates to true, causing a false "not published" error. Query the release by tag directly instead.

Suggested fix 
-                  DRAFT=$(gh api "repos/$GITHUB_REPOSITORY/releases" \
-                    --jq ".[] | select(.tag_name == \"$TAG\") | .draft" 2>/dev/null | head -1)
+                  DRAFT=$(gh api "repos/$GITHUB_REPOSITORY/releases/tags/$TAG" \
+                    --jq '.draft' 2>/dev/null)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
DRAFT=$(gh api "repos/$GITHUB_REPOSITORY/releases" \
--jq ".[] | select(.tag_name == \"$TAG\") | .draft" 2>/dev/null | head -1)
if [ "$DRAFT" != "false" ]; then
echo "ERROR: Release '$TAG' is not published. Publish the GitHub release before uploading to Nexus." >&2
exit 1
fi
DRAFT=$(gh api "repos/$GITHUB_REPOSITORY/releases/tags/$TAG" \
--jq '.draft' 2>/dev/null)
if [ "$DRAFT" != "false" ]; then
echo "ERROR: Release '$TAG' is not published. Publish the GitHub release before uploading to Nexus." >&2
exit 1
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/upload-nexus.yaml around lines 101 - 106, The script uses
the list releases endpoint and client-side filtering which hits pagination;
change the gh api call that sets DRAFT (currently calling
"repos/$GITHUB_REPOSITORY/releases" with TAG filtering) to call the tag-specific
endpoint "repos/$GITHUB_REPOSITORY/releases/tags/$TAG" so the release is looked
up directly, then extract .draft from that response and handle a
non-existent/404 response (treat as error); update the DRAFT assignment and the
subsequent check that compares DRAFT to "false" accordingly (symbols: DRAFT,
TAG, the gh api invocation).

VERSION="${TAG#v}"
echo "tag=$TAG" >> $GITHUB_OUTPUT
echo "version=$VERSION" >> $GITHUB_OUTPUT
env:
INPUT_TAG: ${{ inputs.tag || '' }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Compute dry-run mode
id: dryrun
Expand All @@ -120,6 +127,7 @@ jobs:
run: |
ARGS=( --export-nexus-matrix --matrix-output nexus-matrix-raw.json )
PREVIOUS_TAG=$(git tag --merged "$RELEASE_TAG" --list 'v*.*.*' --sort=-v:refname 2>/dev/null \
| grep -v -- '-' \
| awk -v current="$RELEASE_TAG" '$0 != current { print; exit }')
if [ -n "$PREVIOUS_TAG" ]; then
ARGS+=( --base "$PREVIOUS_TAG" )
Expand Down
Loading