dart-lang · spydon · Feb 5, 2024 · Feb 6, 2024 · Feb 6, 2024 · Feb 8, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@ Important changes to data models, configuration, and migrations between each
 AppEngine version, listed here to ease deployment and troubleshooting.
 
 ## Next Release (replace with git tag when deployed)
+ * Allowed `workflow_dispatch` events from GitHub Actions to publish. 
  * Bumped runtimeVersion to `2024.05.28`.
  * Upgraded stable Dart analysis SDK to `3.4.1`
  * Upgraded stable Flutter analysis SDK to `3.22.1`.
@@ -65,7 +66,6 @@ AppEngine version, listed here to ease deployment and troubleshooting.
  * Resyncing all `SecurityAdvisory` entities to get `pub_display_url` in the
   `database_specific` field backfilled.
 
-
 ## `20240227t140000-all`
  * Bumped runtimeVersion to `2024.02.27`.
  * Upgraded pana to `0.22.2`.

diff --git a/app/lib/package/backend.dart b/app/lib/package/backend.dart
@@ -1318,9 +1318,11 @@ class PackageBackend {
 
     // TODO: consider allowing other events from
     //       https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
-    if (agent.payload.eventName != 'push') {
+    if (agent.payload.eventName != 'push' &&
+        agent.payload.eventName != 'workflow_dispatch') {
       throw AuthorizationException.githubActionIssue(
-          'publishing is only allowed from "push" events, this token originates from a "${agent.payload.eventName}" event');
+          'publishing is only allowed from "push" and "workflow_dispatch events, '
+          'this token originates from a "${agent.payload.eventName}" event');
     }
 
     if (agent.payload.refType != 'tag') {

diff --git a/app/test/package/upload_test.dart b/app/test/package/upload_test.dart
@@ -613,6 +613,74 @@ void main() {
         expect(rs.success.message, contains('Successfully uploaded'));
       });
 
+      testWithProfile(
+          'successful upload with GitHub Actions through workflow_dispatch',
+          fn: () async {
+        await withFakeAuthHttpPubApiClient(
+          email: adminAtPubDevEmail,
+          fn: (client) async {
+            await client.setAutomatedPublishing(
+              'oxygen',
+              AutomatedPublishingConfig(
+                github: GithubPublishingConfig(
+                  isEnabled: true,
+                  repository: 'a/b',
+                  tagPattern: '{{version}}',
+                ),
+              ),
+            );
+          },
+        );
+        final token = createFakeGithubActionToken(
+          repository: 'a/b',
+          ref: 'refs/tags/2.2.0',
+          eventName: 'workflow_dispatch',
+        );
+        final pubspecContent = generatePubspecYaml('oxygen', '2.2.0');
+        final bytes = await packageArchiveBytes(pubspecContent: pubspecContent);
+        final rs = await createPubApiClient(authToken: token)
+            .uploadPackageBytes(bytes);
+        expect(rs.success.message,
+            'Successfully uploaded https://pub.dev/packages/oxygen version 2.2.0.');
+      });
+
+      testWithProfile(
+          'GitHub Actions through workflow_dispatch cannot upload without targeting a tag',
+          fn: () async {
+        await withFakeAuthHttpPubApiClient(
+          email: adminAtPubDevEmail,
+          fn: (client) async {
+            await client.setAutomatedPublishing(
+              'oxygen',
+              AutomatedPublishingConfig(
+                github: GithubPublishingConfig(
+                  isEnabled: true,
+                  repository: 'a/b',
+                  tagPattern: '{{version}}',
+                ),
+              ),
+            );
+          },
+        );
+        final token = createFakeGithubActionToken(
+          repository: 'a/b',
+          ref: 'refs/heads/main',
+          eventName: 'workflow_dispatch',
+        );
+        final pubspecContent = generatePubspecYaml('oxygen', '2.2.0');
+        final bytes = await packageArchiveBytes(pubspecContent: pubspecContent);
+        final rs =
+            createPubApiClient(authToken: token).uploadPackageBytes(bytes);
+        await expectApiException(rs,
+            status: 403,
+            code: 'InsufficientPermissions',
+            message:
+                'The calling GitHub Action is not allowed to publish, because: '
+                'publishing is only allowed from \"tag\" refType, this token '
+                'has \"head\" refType.\n'
+                'See https://dart.dev/go/publishing-from-github');
+      });
+
       testWithProfile(
           'successful upload with GitHub Actions (exempted package)',
           testProfile: TestProfile(