fix(release): require RELEASE_PAT for tag and release updates
Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.
This commit is contained in:
Micheal Wilkinson
@@ -28,7 +28,7 @@ jobs:
|
||||
run:
|
||||
shell: bash
|
||||
env:
|
||||
RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
|
||||
RELEASE_TOKEN: ${{ secrets.RELEASE_PAT }}
|
||||
SUMMARY_FILE: ${{ runner.temp }}/do-release-summary.md
|
||||
steps:
|
||||
- name: Checkout
|
||||
@@ -137,7 +137,7 @@ jobs:
|
||||
set -euo pipefail
|
||||
|
||||
if [[ -z "${RELEASE_TOKEN:-}" ]]; then
|
||||
echo "No release token available. Set GITEA_TOKEN (or GITHUB_TOKEN on GitHub)." >&2
|
||||
echo "No release token available. Set secrets.RELEASE_PAT." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@@ -163,7 +163,7 @@ jobs:
|
||||
id: publish
|
||||
uses: ./publish
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
|
||||
token: ${{ secrets.RELEASE_PAT }}
|
||||
version: ${{ steps.resolve-version.outputs.version }}
|
||||
|
||||
- name: Build release binaries
|
||||
@@ -284,7 +284,7 @@ jobs:
|
||||
|
||||
- name: Download released binary
|
||||
env:
|
||||
TOKEN: ${{ secrets.GITHUB_TOKEN || secrets.GITEA_TOKEN }}
|
||||
TOKEN: ${{ secrets.RELEASE_PAT }}
|
||||
TAG_NAME: ${{ needs.release.outputs.tag }}
|
||||
RELEASE_VERSION: ${{ needs.release.outputs.version }}
|
||||
ASSET_ARCH: ${{ matrix.asset_arch }}
|
||||
|
||||
@@ -124,6 +124,7 @@ jobs:
|
||||
VOCIFERATE_CACHE_TOKEN: ${{ steps.cache-token.outputs.value }}
|
||||
with:
|
||||
version: ${{ steps.resolve-version.outputs.tag }}
|
||||
token: ${{ secrets.RELEASE_PAT }}
|
||||
git-add-files: CHANGELOG.md release-version README.md AGENTS.md
|
||||
|
||||
- name: Summarize prepared release
|
||||
|
||||
Reference in New Issue
Block a user