I need my pipeline runs only when a new TAG is created in "main" branch (exclusive)

Problem to solve

I need my pipeline runs only when a new TAG is created in “main” branch (exclusive), no matter if a new TAG is created in other branches, the pipeline should run only when the TAG is created in main.

I have tried using using workflow/rules because my expected pipeline behavior is that the pipeline only run when the new TAG is created in main branch, I don’t expect any failing pipeline saying, the error, for that reason I tried workflow rules.

Steps to reproduce

This is what I have, but it did not work. I put this code at the very top of the pipeline but when I created the TAG in main branch, the pipeline does not run.

workflow:
  rules:
    - if: '$CI_COMMIT_REF_NAME == "main" && $CI_COMMIT_TAG != ""'
      when: always
    - when: never

If I don’t add this lines to the pipelines it works really fine but the problem is that if I create a new TAG for example in my “test” branch, the pipeline runs and I want to avoid this situation.

Configuration

My pipeline looks like:

workflow:
  rules:
    - if: '$CI_COMMIT_REF_NAME == "main" && $CI_COMMIT_TAG != ""'
      when: always
    - when: never
stages:
  - release
release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    # Job runs only if a TAG was created manually in main branch
    - if: '$CI_COMMIT_TAG'
  script:
    - 'echo "Running release job for tag: $CI_COMMIT_TAG"'
    # Setup git to commit from the pipeline
    - git config --global user.email "ci-bot@gitlab.com"
    - git config --global user.name "GitLab CI/CD Bot"
    # Configure Git to use PAT for authentication
    - 'echo "Gitlab Perssonal Access Token: $GITLAB_ACCESS_TOKEN"'
    - git remote set-url origin "https://oauth2:$GITLAB_ACCESS_TOKEN@gitlab.com/$CI_PROJECT_PATH.git"
    # File to modify the line with Version value 
    - MY_FILE=./style.css
    # Update version in style.css file to match the manual TAG
    - 'sed -i -E "s/^Version: .*/Version: $CI_COMMIT_TAG/" "$MY_FILE"'
    # Ensure we have all branches available
    - git fetch --all
    # Checkout the correct branch (not "origin/main", just "main")
    - git checkout main
    # Commit and push the style.css file
    - git add "$MY_FILE"
    - git commit -m "Update style.css version to $CI_COMMIT_TAG"
    - git push "https://oauth2:$GITLAB_ACCESS_TOKEN@gitlab.com/$CI_PROJECT_PATH.git" main

  release:
    tag_name: "$CI_COMMIT_TAG"
    description: "Release $CI_COMMIT_TAG"

Versions

Please select whether options apply, and add the version information.

• GitLab.com SaaS

Hi,

$CI_COMMIT_REF_NAME is the wrong CI-Var to use because it doesn’t refer to the branch name. When you print $CI_COMMIT_REF_NAME you would get the tag name or commit msg.

What you want is $CI_COMMIT_BRANCH but the docs says

The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines.

I think there is no CI-variable with the combination of $CI_COMMIT_TAG to use to find out which branch the tag is created from.

I mean, you could force add a specific name scheme when creating a tag, but it is not really what you want.

Maybe someone else knows more.

Yes, I tried $CI_COMMIT_BRANCH and $CI_COMMIT_REF_NAME but I can not make it work with either variables.

Any other idea, please drop it here. Thank you.

Yes, I tried $CI_COMMIT_BRANCH and $CI_COMMIT_REF_NAME but I can not make it work with either variables.

Yes, because the variables don’t work. $CI_COMMIT_BRANCH is empty when creating a tag. And the content of $CI_COMMIT_REF_NAME is not what you want.

I found the following GitLab issues:

• PREDEFINED VARIABLE TO FIND OUT WHICH BRANCH TAG WAS CUT FROM. (#219127) · Issues · GitLab.org / GitLab · GitLab
• CICD predefined environment variables: branch of tag (#241706) · Issues · GitLab.org / GitLab · GitLab (more important)

There is no direct solution for you, so you might want to use the REST-API maybe and check inside the job whether the tag is created from main and fail it if not.

@botkero , I got this from the documentation, I thought it could work, for that reason I tried with $CI_COMMIT_REF_NAME .

Screenshot 2025-03-19 at 3.00.29 PM1562×198 10.9 KB

I will check the issues you shared. Thank you for your time.