apunkt/ktx
1
0
Fork 0
mirror of https://github.com/Kaelio/ktx.git synced 2026-06-13 08:15:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

ci(release): authenticate semantic-release with RELEASE_PAT for branch push

Browse source 
The default GITHUB_TOKEN authenticates as github-actions[bot], which is
not in the main branch protection's restrictions.users allowlist and
cannot be added to restrictions.apps. Use a classic PAT stored as
RELEASE_PAT for both actions/checkout (so @semantic-release/git's push
goes through) and the semantic-release env (so @semantic-release/github
authenticates as the same actor).
This commit is contained in:
Andrey Avtomonov 2026-05-20 17:28:13 +02:00
parent a4763f1be5
commit 9565669bdc
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/release-workflow.test.mjs
View file

@ -31,6 +31,9 @@ describe('release workflow', () => {
assert.match(workflow, /pnpm run semantic-release$/m);
assert.match(workflow, /KTX_RELEASE_KIND: \$\{\{ inputs.release_kind \}\}/);
assert.match(workflow, /FORCE_RELEASE: \$\{\{ inputs.force_release \}\}/);
assert.match(workflow, /token: \$\{\{ secrets.RELEASE_PAT \}\}/);
assert.match(workflow, /GITHUB_TOKEN: \$\{\{ secrets.RELEASE_PAT \}\}/);
assert.doesNotMatch(workflow, /GITHUB_TOKEN: \$\{\{ secrets\.GITHUB_TOKEN \}\}/);
assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN/);
assert.doesNotMatch(workflow, /^ push:/m);
assert.doesNotMatch(workflow, /^ pull_request:/m);