ci: let the release pipeline push to protected main (RELEASE_TOKEN)#25
Merged
Conversation
… protection main now requires the CLA Assistant check, which only runs on PRs — so the release bump (ci.yml) and the screenshots job, which push directly to main as github-actions[bot], were rejected. Check out with RELEASE_TOKEN (a fine-grained admin PAT) so the push bypasses protection (enforce_admins is off), and mark the release commit [skip ci] so the PAT-identity push doesn't re-trigger CI and double-publish. Requires a new repo secret RELEASE_TOKEN: fine-grained PAT, dev-coach only, Contents: Read and write.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the release pipeline broken by branch protection on
main.Root cause:
mainrequires theCLA Assistantcheck, which only runs on PRs. Thebumpjob (ci.yml) and the screenshots job push directly to main asgithub-actions[bot](not an admin) → GitHub rejects the push.Fix: check out with
RELEASE_TOKEN(a fine-grained admin PAT scoped to dev-coach, Contents: RW) so the push bypasses protection (enforce_adminsis off), and mark the release commit[skip ci]so the real-identity push doesn't re-trigger CI and double-publish.Action required before next release: add the
RELEASE_TOKENsecret (see PR discussion). Without it the jobs fall back to the default token (current behaviour — no regression).