aether/vociferate
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 7 Wiki Activity

fix(release): require RELEASE_PAT for tag and release updates
All checks were successful
Push Validation / coverage-badge (push) Successful in 1m11s
Details
Push Validation / recommend-release (push) Successful in 24s
Details

Browse Source 
Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.
This commit is contained in:
Micheal Wilkinson
2026-03-21 16:17:17 +00:00
parent 925c99bb9e
commit d5170b6874
7 changed files with 34 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -63,13 +63,14 @@ and `version-pattern`:
```yaml
- uses: https://git.hrafn.xyz/aether/vociferate/prepare@v1.0.2
with:
token: ${{ secrets.RELEASE_PAT }}
version-file: internal/myapp/version/version.go
version-pattern: 'const Version = "([^"]+)"'
git-add-files: CHANGELOG.md internal/myapp/version/version.go
```
`prepare` uses `github.token` internally for authenticated fetch/push operations,
so no token input is required.
`prepare` requires a PAT input for authenticated commit/push/tag operations.
Pass `token: ${{ secrets.RELEASE_PAT }}` when invoking the action.
### `publish` — create release with changelog notes
@@ -96,9 +97,8 @@ Gitea/GitHub release with those notes. The `version` input is optional — when
omitted it is derived from the current tag ref automatically.
The reusable `Do Release` workflow now runs preflight checks before publish to
fail fast when the release token is missing or lacks API access. On
self-hosted Gitea, set `secrets.GITEA_TOKEN`; on GitHub, `secrets.GITHUB_TOKEN`
is used automatically.
fail fast when the release token is missing or lacks API access. Set
`secrets.RELEASE_PAT` and use it for prepare/publish release operations.
The `publish` action outputs `release-id` so you can upload additional release
assets after it runs:
@@ -110,7 +110,7 @@ assets after it runs:
- name: Upload my binary
run: |
curl --fail-with-body -X POST \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "Authorization: token ${{ secrets.RELEASE_PAT }}" \
-H "Content-Type: application/octet-stream" \
"${{ github.api_url }}/repos/${{ github.repository }}/releases/${{ steps.publish.outputs.release-id }}/assets?name=myapp" \
--data-binary "@dist/myapp"