From a696866c847adaee2309fae797947259a58efb17 Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jordan@copilotkit.ai>
Date: Sat, 18 Apr 2026 07:37:17 -0700
Subject: [PATCH] fix: chain docker publish from release workflow

GitHub's anti-recursion rule prevents workflows from triggering other
workflows when acting as GITHUB_TOKEN. publish-release.yml pushes the
release tag with the default token, so the push:tags:v* trigger on
publish-docker.yml never fires. Result: v1.11.0 through v1.14.3 all
published to npm but no Docker image reached GHCR, and the v1.14.3 OOM
fix never made it to the Railway service pulling ghcr.io/copilotkit/aimock:latest.

Fix by explicitly dispatching publish-docker.yml via `gh workflow run
--ref <TAG>` after the npm publish step succeeds. This does not depend
on tag-trigger behavior and is guarded by the same
steps.check.outputs.published == 'false' condition as the publish, so
Docker only builds when npm publish actually happened.

Also restore the workflow_dispatch trigger on publish-docker.yml (added
in 486ccd9, inadvertently removed in 63aab1e); `gh workflow run`
requires workflow_dispatch on the ref being invoked.

The existing push:tags:v* trigger stays as belt-and-suspenders for
anyone pushing tags manually from a local clone with a PAT.

Option chosen: explicit chain over PAT or workflow_call. Least invasive
(no new secrets, no cross-workflow refactor), most observable (the
dispatch shows up as a discrete step in the release run), and the
failure mode is clearly visible in the release workflow log.
---
 .github/workflows/publish-docker.yml  |  1 +
 .github/workflows/publish-release.yml | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
index 2a75812..9110548 100644
--- a/.github/workflows/publish-docker.yml
+++ b/.github/workflows/publish-docker.yml
@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - main
+  workflow_dispatch:
 
 env:
   REGISTRY: ghcr.io
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 45879fb..ed743d9 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -10,6 +10,7 @@ jobs:
     permissions:
       contents: write
       id-token: write
+      actions: write
     steps:
       - uses: actions/checkout@v4
         with: { fetch-depth: 0 }
@@ -81,6 +82,17 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Trigger Docker publish workflow
+        # GitHub's anti-recursion rule: tags pushed by GITHUB_TOKEN do NOT
+        # trigger downstream workflows. Explicitly dispatch publish-docker.yml
+        # so the GHCR image actually gets built on every release.
+        if: steps.check.outputs.published == 'false'
+        run: |
+          TAG="v${{ steps.check.outputs.version }}"
+          gh workflow run publish-docker.yml --ref "${TAG}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Notify Slack
         if: steps.check.outputs.published == 'false'
         run: |