From c602750452b05a012b3f22ab7476ba8f0852d104 Mon Sep 17 00:00:00 2001 From: AMiWR Date: Tue, 21 Apr 2026 13:41:53 +0000 Subject: [PATCH] ci(release-please): authenticate via RELEASE_PLEASE_TOKEN PAT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default GITHUB_TOKEN triggers GitHub's anti-recursion safeguard: any workflow action taken with that token does NOT fire downstream workflows. For release-please that means: - Release PR opened → pull_request event doesn't fire → ci.yml never runs → branch protection blocks the merge. - Release-please tag created on PR merge → push-tag event doesn't fire → release.yml (goreleaser) never runs → binaries + .deb + .rpm + Homebrew formula never publish automatically. Both bit us during the v0.1.0 ship. Fix: authenticate the action with a dedicated fine-grained PAT (RELEASE_PLEASE_TOKEN). PAT-triggered events count as real user actions, so every downstream workflow fires normally. .github/SETTINGS.md updated to document the new secret and its required scopes (Contents R/W, Pull requests R/W, Workflows R/W, scoped to this repo only, ≤ 1-year expiration). After merge: release-please's next run uses the PAT, re-syncs the existing 0.1.1 release PR (the refreshing commit comes via PAT so CI fires correctly), and on merge the v0.1.1 tag push auto-fires goreleaser — no more manual close-reopen + workflow_dispatch dance. --- .github/SETTINGS.md | 20 ++++++++++++++++++++ .github/workflows/release-please.yml | 13 +++++++++++++ 2 files changed, 33 insertions(+) diff --git a/.github/SETTINGS.md b/.github/SETTINGS.md index 31cf377..17c9d9d 100644 --- a/.github/SETTINGS.md +++ b/.github/SETTINGS.md @@ -99,6 +99,26 @@ appear. Then continue below. ## Secrets (when needed) — Secrets and variables → Actions +- [ ] `RELEASE_PLEASE_TOKEN` **(required for automated releases)**: + - Without this, release-please falls back to `GITHUB_TOKEN`. + GitHub's anti-recursion rule then suppresses every downstream + workflow triggered by release-please: the release PR's CI + doesn't run, and the tag it creates on merge doesn't fire + `release.yml`. Result: the release PR looks blocked forever + and goreleaser never publishes the release artifacts + automatically. + - Generate a fine-grained PAT at + : + - Resource owner: your account. + - Repository access: **Only select repositories** → this repo only. + - Repository permissions: + - **Contents**: Read and write + - **Pull requests**: Read and write + - **Workflows**: Read and write (release-please updates workflow + files if you ever add `extra-files` that include `.github/**`) + - Expiration: ≤ 1 year (fine-grained PATs cannot be infinite). + - Paste into repo secret named exactly `RELEASE_PLEASE_TOKEN`. + - [ ] `HOMEBREW_TAP_GITHUB_TOKEN` *(optional, add when ready to publish Homebrew)*: - Use your existing `amiwrpremium/homebrew-tap` repo (a single diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 7194698..d504089 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -20,7 +20,20 @@ jobs: release-please: runs-on: ubuntu-latest steps: + # token: RELEASE_PLEASE_TOKEN (a PAT) — not the default GITHUB_TOKEN. + # GitHub's anti-recursion rule suppresses downstream workflow triggers + # for any action that uses GITHUB_TOKEN. That means a release-please + # tag created via GITHUB_TOKEN does NOT fire release.yml on its tag + # push, and the release-please PR it opens does NOT fire ci.yml on + # `pull_request`. A PAT sidesteps both: the tag push and the PR + # creation look like real user events, so every downstream workflow + # fires normally. + # + # The PAT needs: Contents: Read+Write, Pull requests: Read+Write, + # Workflows: Read+Write (so release-please can update workflow + # files if needed). Scoped to this repo only. See SETTINGS.md. - uses: googleapis/release-please-action@v4 with: + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} config-file: release-please-config.json manifest-file: .release-please-manifest.json