From 5334b4b2eed347dc1e85845a54460a1e5b2ea310 Mon Sep 17 00:00:00 2001 From: BryanFRD Date: Wed, 17 Jun 2026 19:40:21 +0200 Subject: [PATCH] ci: add release concurrency guard and stop persisting GITHUB_TOKEN on the bot release --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46dc980..172ea25 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,9 @@ jobs: name: Release needs: [lint, test] runs-on: ubuntu-latest + concurrency: + group: release-${{ github.ref }} + cancel-in-progress: false if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch' permissions: contents: write @@ -45,6 +48,11 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 + # FerrFlow runs with bot: true — it pushes via an App installation + # token from its OIDC exchange, not the checkout-persisted + # GITHUB_TOKEN. Persisting GITHUB_TOKEN would let it win over the bot + # token on push (github-actions[bot] can't bypass branch rules). + persist-credentials: false - name: Record previous tag id: prev-tag run: echo "tag=$(git describe --tags --abbrev=0 2>/dev/null || echo '')" >> "$GITHUB_OUTPUT"