From 8ad8e1d3ed5d5d7116c2c10486c43449da0a7099 Mon Sep 17 00:00:00 2001 From: Jason Roy Date: Thu, 25 Jun 2026 15:23:13 -0700 Subject: [PATCH] ci: consolidate on RELEASE_PAT, drop NPM_TOKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Single token to manage instead of two, and remove a dead/expired secret: - version-bump.yml: PAT_TOKEN -> RELEASE_PAT (checkout + PR creation). - catch-up-release.yml: give it the same RELEASE_PAT treatment so its PR actually triggers CI and its merge fires tag-on-version-merge (it had the same GITHUB_TOKEN bug — bot-opened PR runs no CI, auto-merge never fires). - catch-up-release.yml: drop the NODE_AUTH_TOKEN/NPM_TOKEN line — this workflow doesn't publish (publishing is OIDC via publish.yml downstream), so it was dead config referencing an expired token. NPM_TOKEN and PAT_TOKEN secrets deleted (publishing is OIDC; releases use the single RELEASE_PAT). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/catch-up-release.yml | 13 ++++++++----- .github/workflows/version-bump.yml | 4 ++-- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/catch-up-release.yml b/.github/workflows/catch-up-release.yml index 1404209..d3c6257 100644 --- a/.github/workflows/catch-up-release.yml +++ b/.github/workflows/catch-up-release.yml @@ -33,6 +33,11 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + # Use the release PAT so the catch-up PR triggers CI and its merge fires + # tag-on-version-merge (a GITHUB_TOKEN-opened PR runs no CI and a bot-merge + # triggers nothing — GitHub's anti-recursion rule). + token: ${{ secrets.RELEASE_PAT || github.token }} - name: Setup pnpm uses: pnpm/action-setup@v4 @@ -42,9 +47,6 @@ jobs: with: node-version: "22" cache: "pnpm" - registry-url: "https://registry.npmjs.org" - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Install dependencies run: pnpm install @@ -162,7 +164,8 @@ jobs: - name: Create PR and enable auto-merge if: steps.versions.outputs.needs_update == 'true' && inputs.dry_run != true env: - GH_TOKEN: ${{ github.token }} + # PAT so the PR triggers CI and the merge fires tag-on-version-merge. + GH_TOKEN: ${{ secrets.RELEASE_PAT || github.token }} run: | VERSION="${{ steps.versions.outputs.new_pkg_version }}" BRANCH_NAME="catch-up-$VERSION" @@ -197,7 +200,7 @@ jobs: --head $BRANCH_NAME # Enable auto-merge - gh pr merge $BRANCH_NAME --auto --squash + gh pr merge $BRANCH_NAME --auto --squash --delete-branch echo "✅ Created PR and enabled auto-merge" echo "🔗 PR will be merged automatically once status checks pass" diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index eb416c6..863bc76 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -32,7 +32,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }} - name: Setup pnpm uses: pnpm/action-setup@v4 @@ -107,7 +107,7 @@ jobs: - name: Create Pull Request env: - GH_TOKEN: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }} NEW_VERSION: ${{ steps.version.outputs.new_version }} DIST_TAG: ${{ steps.version.outputs.dist_tag }} BRANCH_NAME: ${{ steps.branch.outputs.branch_name }}