fix(release): require RELEASE_PAT for tag and release updates

Stop using GITHUB_TOKEN/GITEA_TOKEN fallbacks in prepare/do-release/publish mutation paths. Require explicit PAT wiring via secrets.RELEASE_PAT for commit/push/tag and release update operations so downstream workflows trigger reliably.
2026-03-21 16:17:17 +00:00
parent 925c99bb9e
commit d5170b6874
7 changed files with 34 additions and 17 deletions
--- a/prepare/action.yml
+++ b/prepare/action.yml
@@ -42,6 +42,11 @@ inputs:
      custom version-file.
    required: false
    default: 'CHANGELOG.md release-version'
+  token:
+    description: >
+      Personal access token used to authenticate commit, push, and tag
+      operations. Required to ensure downstream workflows trigger on tag push.
+    required: true

 outputs:
  version:
@@ -114,7 +119,7 @@ runs:
    - name: Commit and push release
      shell: bash
      env:
-        TOKEN: ${{ github.token }}
+        TOKEN: ${{ inputs.token }}
        GIT_USER_NAME: ${{ inputs.git-user-name }}
        GIT_USER_EMAIL: ${{ inputs.git-user-email }}
        GIT_ADD_FILES: ${{ inputs.git-add-files }}
@@ -124,6 +129,11 @@ runs:
      run: |
        set -euo pipefail

+        if [[ -z "${TOKEN:-}" ]]; then
+          echo "A release PAT is required. Provide inputs.token (for example secrets.RELEASE_PAT)." >&2
+          exit 1
+        fi
+
        case "$GITHUB_SERVER_URL" in
          https://*)
            authed_remote="https://oauth2:${TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git"