Skip to content

Automatically unlock main branch after release publishes#7416

Closed
isaacroldan wants to merge 1 commit into04-28-automate_tag_stable_branch_and_github_release_after_changeset_publishfrom
04-28-automatically_unlock_main_branch_after_release_publishes
Closed

Automatically unlock main branch after release publishes#7416
isaacroldan wants to merge 1 commit into04-28-automate_tag_stable_branch_and_github_release_after_changeset_publishfrom
04-28-automatically_unlock_main_branch_after_release_publishes

Conversation

@isaacroldan
Copy link
Copy Markdown
Contributor

@isaacroldan isaacroldan commented Apr 28, 2026
edited
Loading

Summary

  • Adds an "Unlock main branch" step at the end of the changeset-release job that flips lockBranch back to false on the main branch protection rule once a release publishes successfully.
  • The pre-release lock is still applied manually (out of scope for this PR); only the unlock is automated for now.
  • Step is gated on hasChangesets == 'false' (release was just published) and github.ref_name == 'main', so it doesn't run on stable branches or on the version-PR creation pass.

Token requirement

The default GITHUB_TOKEN cannot modify branch protection rules. The step uses a separate RELEASE_ADMIN_TOKEN secret (PAT or GitHub App installation token with Administration: write on the repo). If the secret is not configured, the step emits a ::warning:: and exits 0 without failing the workflow — meaning this is safe to merge before the secret is provisioned, and the unlock will simply remain manual until then.

Stacked on top of #7415.

Test plan

  • Provision RELEASE_ADMIN_TOKEN secret in the repo
  • Lock main manually via the GitHub UI before the next release
  • Confirm the step flips lockBranch back to false after the release publishes
  • Verify in the Actions log that the GraphQL mutation returns lockBranch: false

🤖 Generated with Claude Code

@isaacroldan Graphite App
Copy link
Copy Markdown
Contributor Author

isaacroldan commented Apr 28, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@isaacroldan isaacroldan mentioned this pull request Apr 28, 2026
Merged
3 tasks
@isaacroldan @claude
Automatically unlock main branch after release publishes
6780212 
Adds a final step in the changeset-release job that flips the lockBranch
field on the main branch protection rule back to false once a release
publishes successfully. The pre-release lock is still applied manually;
only the unlock is automated for now.

The step requires a RELEASE_ADMIN_TOKEN secret (PAT or GitHub App
installation token with admin permissions on branch protection). If the
secret is not configured, the step warns and skips so it never blocks a
release.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@isaacroldan isaacroldan changed the base branch from 04-28-automate_tag_stable_branch_and_github_release_after_changeset_publish to graphite-base/7416 April 28, 2026 11:04
@isaacroldan isaacroldan force-pushed the 04-28-automatically_unlock_main_branch_after_release_publishes branch from 3a1b640 to 6780212 Compare April 28, 2026 11:04
@isaacroldan isaacroldan changed the base branch from graphite-base/7416 to 04-28-automate_tag_stable_branch_and_github_release_after_changeset_publish April 28, 2026 11:04
@isaacroldan isaacroldan mentioned this pull request Apr 28, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@isaacroldan