Skip to content

ci: add release concurrency guard and drop persisted creds on the bot release#148

Merged
BryanFRD merged 1 commit into
mainfrom
ci/release-concurrency-bot-creds
Jun 17, 2026
Merged

ci: add release concurrency guard and drop persisted creds on the bot release#148
BryanFRD merged 1 commit into
mainfrom
ci/release-concurrency-bot-creds

Conversation

@BryanFRD

Copy link
Copy Markdown
Contributor

Closes #129.

Two race/auth hardening fixes on the inline release job in ci.yml (this repo has no separate release.yml — the release runs inside CI):

  • Concurrency — added concurrency: { group: release-${{ github.ref }}, cancel-in-progress: false } so two main merges can't race the FerrFlow release run and trip E2006: tag already exists.
  • Checkout creds — the job runs FerrLabs/FerrFlow@v5 with bot: true, which pushes via an App installation token from its OIDC exchange, not the checkout-persisted GITHUB_TOKEN. Added persist-credentials: false so the persisted GITHUB_TOKEN can't win over the bot token on push (github-actions[bot] can't bypass the branch ruleset).

Note: the parent issue/#56 prescribed checkout@v6 → v5 to dodge v6 dropping GITHUB_TOKEN on fetch-depth: 0. That workaround doesn't apply here because this release doesn't use GITHUB_TOKEN for the push (it uses the bot token) — persist-credentials: false on v6 is the correct, current pattern (matches the FerrLabs/.github reusable release). Kept @v6.

@BryanFRD BryanFRD enabled auto-merge (squash) June 17, 2026 17:40
@BryanFRD BryanFRD merged commit eeaabf8 into main Jun 17, 2026
13 checks passed
@BryanFRD BryanFRD deleted the ci/release-concurrency-bot-creds branch June 17, 2026 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(ci): release.yml — add concurrency + pin checkout to v5

1 participant