From f892fa472df69007a1d7bbdca53eb4bd473c1fd6 Mon Sep 17 00:00:00 2001
From: patrick brisbin <pbrisbin@gmail.com>
Date: Mon, 10 May 2021 17:10:57 -0400
Subject: [PATCH] Move haskell-tag to Release Workflow

Workflows that use the default GITHUB_TOKEN cannot trigger other
Workflows. This is a security thing (thanks crypto-bros) that prevents
us from pushing a tag in an attempt to trigger a Release.

Instead, we move that tagging to the Release Workflow itself and allow
that to run on pushes to main in addition to pushes of tags. This way,
pushes of tags continue to upload as before, but also pushes of changed
versions will now create a tag and upload, as desired.
---
 .github/workflows/ci.yml      | 12 ------------
 .github/workflows/release.yml | 15 ++++++++++++---
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 73d987a..21cc593 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,15 +30,3 @@ jobs:
         stack-yaml: ${{ matrix.stack-yaml }}
         stack-arguments: --flag yesod-auth-oauth2:example
         weeder: false
-
-  tag:
-    runs-on: ubuntu-latest
-
-    if: ${{ github.ref == 'refs/heads/main' }}
-    needs: [test]
-
-    steps:
-      - uses: actions/checkout@v2
-      - env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        uses: freckle/haskell-tag-action@v1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 60dc438..11bf067 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,16 +2,25 @@ name: Release to Hackage
 
 on:
   push:
+    branches: main
     tags:
       - 'v*'
 
 jobs:
   release:
     runs-on: ubuntu-latest
-    env:
-      HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
     steps:
       - uses: actions/checkout@v2
-      - uses: freckle/stack-upload-action@main
+
+      - id: tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: freckle/haskell-tag-action@v1
+
+      # If we're reacting to a manually pushed tag, or we just created one
+      - if: ${{ startsWith(github.ref, 'refs/tags/') || steps.tag.tag }}
+        env:
+          HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+        uses: freckle/stack-upload-action@main
         with:
           pvp-bounds: both