From 16f8a35beeabbaf888be581d1c0f03f1a0285362 Mon Sep 17 00:00:00 2001
From: Andrey Avtomonov <andreybavt@gmail.com>
Date: Wed, 20 May 2026 17:57:35 +0200
Subject: [PATCH] ci(release): restore RELEASE_PAT for branch push (#189)

Re-applies the RELEASE_PAT wiring on top of the URL-casing fix in #188.
The default GITHUB_TOKEN authenticates as github-actions[bot], which
cannot be added to either restrictions or bypass_pull_request_allowances
on a protected branch. With #188 removing the URL redirect, the PAT
auth header now survives all the way to the protected-branch hook;
since RELEASE_PAT belongs to andreybavt (verified via /user) and
andreybavt is in the bypass list, the push should now be accepted.
---
 .github/workflows/release.yml     | 5 +++--
 scripts/release-workflow.test.mjs | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa34d37b..108c1989 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,6 +38,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          token: ${{ secrets.RELEASE_PAT }}
 
       - name: Setup pnpm
         uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
@@ -93,7 +94,7 @@ jobs:
         if: ${{ !inputs.publish_live }}
         run: pnpm run semantic-release:dry-run
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}
           KTX_RELEASE_KIND: ${{ inputs.release_kind }}
           FORCE_RELEASE: ${{ inputs.force_release }}
 
@@ -101,6 +102,6 @@ jobs:
         if: ${{ inputs.publish_live }}
         run: pnpm run semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}
           KTX_RELEASE_KIND: ${{ inputs.release_kind }}
           FORCE_RELEASE: ${{ inputs.force_release }}
diff --git a/scripts/release-workflow.test.mjs b/scripts/release-workflow.test.mjs
index 76b299e3..9ca53736 100644
--- a/scripts/release-workflow.test.mjs
+++ b/scripts/release-workflow.test.mjs
@@ -31,6 +31,9 @@ describe('release workflow', () => {
     assert.match(workflow, /pnpm run semantic-release$/m);
     assert.match(workflow, /KTX_RELEASE_KIND: \$\{\{ inputs.release_kind \}\}/);
     assert.match(workflow, /FORCE_RELEASE: \$\{\{ inputs.force_release \}\}/);
+    assert.match(workflow, /token: \$\{\{ secrets.RELEASE_PAT \}\}/);
+    assert.match(workflow, /GITHUB_TOKEN: \$\{\{ secrets.RELEASE_PAT \}\}/);
+    assert.doesNotMatch(workflow, /GITHUB_TOKEN: \$\{\{ secrets\.GITHUB_TOKEN \}\}/);
     assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN/);
     assert.doesNotMatch(workflow, /^  push:/m);
     assert.doesNotMatch(workflow, /^  pull_request:/m);