apunkt/ktx
1
0
Fork 0
mirror of https://github.com/Kaelio/ktx.git synced 2026-06-07 07:55:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

ci(release): restore RELEASE_PAT for branch push (#189)

Browse source 
Re-applies the RELEASE_PAT wiring on top of the URL-casing fix in #188.
The default GITHUB_TOKEN authenticates as github-actions[bot], which
cannot be added to either restrictions or bypass_pull_request_allowances
on a protected branch. With #188 removing the URL redirect, the PAT
auth header now survives all the way to the protected-branch hook;
since RELEASE_PAT belongs to andreybavt (verified via /user) and
andreybavt is in the bypass list, the push should now be accepted.
This commit is contained in:
Andrey Avtomonov 2026-05-20 17:57:35 +02:00 committed by GitHub
parent b43000f961
commit 16f8a35bee
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.github/workflows/release.yml vendored
View file

@ -38,6 +38,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0 fetch-depth: 0
token: ${{ secrets.RELEASE_PAT }}
- name: Setup pnpm - name: Setup pnpm
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@ -93,7 +94,7 @@ jobs:
if: ${{ !inputs.publish_live }} if: ${{ !inputs.publish_live }}
run: pnpm run semantic-release:dry-run run: pnpm run semantic-release:dry-run
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}
KTX_RELEASE_KIND: ${{ inputs.release_kind }} KTX_RELEASE_KIND: ${{ inputs.release_kind }}
FORCE_RELEASE: ${{ inputs.force_release }} FORCE_RELEASE: ${{ inputs.force_release }}
@ -101,6 +102,6 @@ jobs:
if: ${{ inputs.publish_live }} if: ${{ inputs.publish_live }}
run: pnpm run semantic-release run: pnpm run semantic-release
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}
KTX_RELEASE_KIND: ${{ inputs.release_kind }} KTX_RELEASE_KIND: ${{ inputs.release_kind }}
FORCE_RELEASE: ${{ inputs.force_release }} FORCE_RELEASE: ${{ inputs.force_release }}

3
scripts/release-workflow.test.mjs
View file

@ -31,6 +31,9 @@ describe('release workflow', () => {
assert.match(workflow, /pnpm run semantic-release$/m); assert.match(workflow, /pnpm run semantic-release$/m);
assert.match(workflow, /KTX_RELEASE_KIND: \$\{\{ inputs.release_kind \}\}/); assert.match(workflow, /KTX_RELEASE_KIND: \$\{\{ inputs.release_kind \}\}/);
assert.match(workflow, /FORCE_RELEASE: \$\{\{ inputs.force_release \}\}/); assert.match(workflow, /FORCE_RELEASE: \$\{\{ inputs.force_release \}\}/);
assert.match(workflow, /token: \$\{\{ secrets.RELEASE_PAT \}\}/);
assert.match(workflow, /GITHUB_TOKEN: \$\{\{ secrets.RELEASE_PAT \}\}/);
assert.doesNotMatch(workflow, /GITHUB_TOKEN: \$\{\{ secrets\.GITHUB_TOKEN \}\}/);
assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN/); assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN/);
assert.doesNotMatch(workflow, /^ push:/m); assert.doesNotMatch(workflow, /^ push:/m);
assert.doesNotMatch(workflow, /^ pull_request:/m); assert.doesNotMatch(workflow, /^ pull_request:/m);