Skip to content

Add nightly release tag workflow and adapt CI for moving tags#2223

Open
petermm wants to merge 1 commit intoatomvm:release-0.7from
petermm:ci-nightly-tags
Open

Add nightly release tag workflow and adapt CI for moving tags#2223
petermm wants to merge 1 commit intoatomvm:release-0.7from
petermm:ci-nightly-tags

Conversation

@petermm
Copy link
Copy Markdown
Contributor

@petermm petermm commented Mar 22, 2026

ci: add nightly latest-tag release builds

Summary

This adds nightly release builds using moving *-latest tags.

The new workflow updates nightly tags on a schedule.
Versioned release tags continue to behave like normal releases, while moving nightly tags are allowed to refresh assets in place.

What this changes

  • adds a nightly tag workflow:
    • main -> main-latest
    • active release branch -> release-X.Y-latest
  • publishes *-latest builds as prereleases instead of drafts
  • only allows asset overwrite for moving *-latest tags
  • skips docs publishing for nightly tags
  • skips CodeQL for nightly tag runs
  • skips whole expensive workflows on nightly tags where those runs are not needed

Branch rollout

This should be landed on release-0.7 branch first, then forward-ported to main.

Required setup

This workflow requires a repository secret named RELEASE_TAG_PUSH_TOKEN.

Why:

  • the nightly workflow force-updates moving tags
  • those tag updates must trigger downstream workflows
  • GITHUB_TOKEN is intentionally not used for this

Recommended token:

  • fine-grained PAT
  • repository access: atomvm/AtomVM
  • repository permission: Contents: Read and write

Create a dedicated fine-grained PAT on GitHub:

  1. Open GitHub and go to:
    • Settings
    • Developer settings
    • Personal access tokens
    • Fine-grained tokens
    • Generate new token
  2. Set:
    • Token name: AtomVM nightly release tags
    • Resource owner: atomvm
    • Expiration: pick a reasonable rotation window
    • Repository access: Only select repositories
    • Selected repository: AtomVM
  3. Under repository permissions, grant:
    • Contents: Read and write
  4. Create the token and copy it immediately.

Store the secret with gh:

gh secret set RELEASE_TAG_PUSH_TOKEN --repo atomvm/AtomVM

Paste the PAT when prompted.

Verify:

gh secret list --repo atomvm/AtomVM

Delete the secret if needed:

gh secret delete RELEASE_TAG_PUSH_TOKEN --repo atomvm/AtomVM

Notes:

  • this must be a dedicated PAT, not GITHUB_TOKEN
  • if the atomvm organization requires approval for fine-grained PATs, an org owner may need to approve it before it works
  • the token only needs enough access to update tags in atomvm/AtomVM

Schedule

Nightly tags run at:

  • 17 2 * * * UTC
  • that is 02:17 UTC every day

First run / verification

After the workflow file is on the default branch and the secret is configured, trigger the first run manually:

gh workflow run nightly-release-tags.yaml --repo atomvm/AtomVM --ref main

Then watch it with:

gh run list --repo atomvm/AtomVM --workflow nightly-release-tags.yaml
gh run watch --repo atomvm/AtomVM

Expected result:

  • main-latest and release-0.7-latest move to the latest branch heads
  • release workflows triggered by those tags publish fresh nightly prerelease assets

Manual cleanup

If a nightly release ends up with stale assets and you want to reset it manually, delete the GitHub release and the tag, then rerun the nightly workflow.

Delete the release:

gh release delete main-latest --repo atomvm/AtomVM --yes
gh release delete release-0.7-latest --repo atomvm/AtomVM --yes

Delete the remote tag:

git push --delete upstream main-latest
git push --delete upstream release-0.7-latest

Or with the GitHub API via gh:

gh api -X DELETE repos/atomvm/AtomVM/git/refs/tags/main-latest
gh api -X DELETE repos/atomvm/AtomVM/git/refs/tags/release-0.7-latest

After cleanup, rerun:

gh workflow run nightly-release-tags.yaml --repo atomvm/AtomVM --ref main

Notes

  • in the official repo, missing RELEASE_TAG_PUSH_TOKEN is a hard failure
  • in forks, missing RELEASE_TAG_PUSH_TOKEN only warns and skips, to make testing easier
  • workflow_dispatch only works once the workflow file exists on the default branch

Amp-Thread-ID: https://ampcode.com/threads/T-019d0f7e-bb56-7572-a7e0-ca9fb71d69a3

These changes are made under both the "Apache 2.0" and the "GNU Lesser General
Public License 2.1 or later" license terms (dual license).

SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later

@petermm
Add nightly release tag workflow and adapt CI for moving tags
17b15a4 
Add a scheduled workflow (nightly-release-tags.yaml) that force-updates
a `release-0.7-latest` annotated tag to the tip of the release-0.7
branch using a dedicated PAT (RELEASE_TAG_PUSH_TOKEN) so downstream
release workflows are triggered. The tag is only moved when the branch
HEAD has actually changed, avoiding unnecessary rebuilds.

Adapt existing release workflows for `*-latest` tags:
- Publish as prerelease instead of draft, with asset overwrite enabled.
- Skip CodeQL analysis only for nightly tags, not for branches that
  happen to end in "-latest".
- Exclude `*-latest` tags from non-release CI workflows via tags-ignore.
- Narrow publish-docs tag filter to `v*` to prevent docs deployment on
  nightly tag pushes.

Forks without the token secret skip nightly tag updates gracefully;
the official repository fails fast if the secret is missing.

Amp-Thread-ID: https://ampcode.com/threads/T-019d0f7e-bb56-7572-a7e0-ca9fb71d69a3

Signed-off-by: Peter M <petermm@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@petermm