GitHub Actions & Draft Releases: A Challenge for Developer Productivity

The Draft Release Dilemma: When GitHub Actions Go Quiet

In the quest for seamless and secure software delivery, GitHub Actions have become an indispensable tool for automating various stages of the development lifecycle. However, a recent discussion in the GitHub Community highlights a significant workflow friction point concerning draft releases created directly through the WebUI. This issue directly impacts developer productivity and the integrity of the software supply chain.

The Core Problem: WebUI Drafts and Silent Workflows

The discussion, initiated by shihabmollah471-png, zeroes in on a critical limitation: GitHub Actions workflows are explicitly not triggered for created, edited, or deleted activity types when a release is in a draft state. The official documentation clearly states:

Workflows are not triggered for the created, edited, or deleted activity types for draft releases. When you create your release through the GitHub UI, your release may automatically be saved as a draft.

This means that if a developer initiates a draft release via the GitHub WebUI—a common and intuitive starting point for many—any associated GitHub Actions designed to generate assets (like binaries, documentation, or SBOMs) will simply not run. The intended automation pipeline remains dormant.

Impact on Developer Productivity and Supply Chain Security

The inability to automatically generate assets for WebUI-created draft releases forces developers into a manual workflow. Instead of a streamlined process where actions handle asset creation, developers must upload these assets manually once the draft is ready to be published. This manual intervention introduces several challenges:

• Reduced Automation Efficiency: A key benefit of GitHub Actions is to eliminate repetitive manual tasks. This limitation directly undermines that goal, adding an extra, non-automated step to the release process. Such manual steps can be a bottleneck, impacting the efficiency metrics often tracked on a developer productivity dashboard.
• Compromised Attestation: As highlighted in the original discussion, "Uploading the assets manually breaks the attestation." Attestation is crucial for supply chain security, providing verifiable proof about the origin and integrity of software artifacts. When assets are manually uploaded, the automated cryptographic signing and provenance tracking that GitHub Actions can provide are bypassed, leaving a potential gap in the security chain.
• Inconsistent Workflows: Developers are left with a bifurcated approach: use the WebUI for initial draft creation but then switch to manual asset uploads, or completely bypass the WebUI for release creation by using the GitHub API or CLI to ensure actions are triggered from the outset. This inconsistency can lead to errors and a steeper learning curve for new team members.

Navigating the Limitation: A Call for Workflow Refinement

Currently, the only way to ensure GitHub Actions trigger for release asset generation is to either:

• Create the release directly as a non-draft using the GitHub API or CLI.
• Publish the release immediately (not as a draft) via the WebUI, which might not be suitable for all review processes.

For organizations prioritizing both ease of use (WebUI) and robust automation with strong supply chain security, this presents a significant challenge. It underscores a need for GitHub to potentially re-evaluate how draft releases interact with Actions, perhaps by introducing an explicit "trigger actions for draft" option or by allowing specific draft events to be configurable.

Addressing this gap would not only enhance the developer experience but also strengthen the overall security posture of projects relying on GitHub for their release management, ultimately contributing positively to the data reflected on a comprehensive developer productivity dashboard.