Skip to content

ci(release-please): authenticate via RELEASE_PLEASE_TOKEN PAT #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
amiwrpremium merged 1 commit into from
Apr 21, 2026
Merged

ci(release-please): authenticate via RELEASE_PLEASE_TOKEN PAT #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/SETTINGS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,26 @@ appear. Then continue below.

## Secrets (when needed) — Secrets and variables → Actions

- [ ] `RELEASE_PLEASE_TOKEN` **(required for automated releases)**:
- Without this, release-please falls back to `GITHUB_TOKEN`.
GitHub's anti-recursion rule then suppresses every downstream
workflow triggered by release-please: the release PR's CI
doesn't run, and the tag it creates on merge doesn't fire
`release.yml`. Result: the release PR looks blocked forever
and goreleaser never publishes the release artifacts
automatically.
- Generate a fine-grained PAT at
<https://github.com/settings/personal-access-tokens/new>:
- Resource owner: your account.
- Repository access: **Only select repositories** → this repo only.
- Repository permissions:
- **Contents**: Read and write
- **Pull requests**: Read and write
- **Workflows**: Read and write (release-please updates workflow
files if you ever add `extra-files` that include `.github/**`)
- Expiration: ≤ 1 year (fine-grained PATs cannot be infinite).
- Paste into repo secret named exactly `RELEASE_PLEASE_TOKEN`.

- [ ] `HOMEBREW_TAP_GITHUB_TOKEN` *(optional, add when ready to
publish Homebrew)*:
- Use your existing `amiwrpremium/homebrew-tap` repo (a single
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,20 @@ jobs:
release-please:
runs-on: ubuntu-latest
steps:
# token: RELEASE_PLEASE_TOKEN (a PAT) — not the default GITHUB_TOKEN.
# GitHub's anti-recursion rule suppresses downstream workflow triggers
# for any action that uses GITHUB_TOKEN. That means a release-please
# tag created via GITHUB_TOKEN does NOT fire release.yml on its tag
# push, and the release-please PR it opens does NOT fire ci.yml on
# `pull_request`. A PAT sidesteps both: the tag push and the PR
# creation look like real user events, so every downstream workflow
# fires normally.
#
# The PAT needs: Contents: Read+Write, Pull requests: Read+Write,
# Workflows: Read+Write (so release-please can update workflow
# files if needed). Scoped to this repo only. See SETTINGS.md.
- uses: googleapis/release-please-action@v4
with:
token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
Loading