bkper · maelcaldas · Mar 27, 2026 · Mar 27, 2026
diff --git a/.github/workflows/bkper-cli-delivery.yml b/.github/workflows/bkper-cli-delivery.yml
@@ -37,49 +37,52 @@ jobs:
 
     release:
         needs: build-and-unit-test
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.actor != 'github-actions[bot]'
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         runs-on: ubuntu-latest
+        concurrency:
+            group: release-main
+            cancel-in-progress: false
         permissions:
             contents: write
             pull-requests: read
             id-token: write
 
         steps:
-            - name: Determine release level from merged PR labels
+            - name: Determine release level from PR labels associated with this commit
               id: release_level
               uses: actions/github-script@v7
               with:
                   script: |
                       const owner = context.repo.owner;
                       const repo = context.repo.repo;
                       const commitSha = context.sha;
-
-                      const { data: pulls } = await github.rest.pulls.list({
+                      const levelByLabel = {
+                        'release:patch': 'patch',
+                        'release:minor': 'minor',
+                        'release:major': 'major',
+                      };
+                      const orderedLabels = ['release:major', 'release:minor', 'release:patch'];
+
+                      const { data: pulls } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
                         owner,
                         repo,
-                        state: 'closed',
-                        base: 'main',
-                        sort: 'updated',
-                        direction: 'desc',
-                        per_page: 100,
+                        commit_sha: commitSha,
                       });
 
-                      const mergedPr = pulls.find(
-                        pr => pr.merged_at && pr.merge_commit_sha === commitSha
-                      );
+                      const mergedPr = pulls.find(pr => pr.merged_at && pr.base?.ref === 'main');
 
                       if (!mergedPr) {
                         core.info('No merged PR associated with this commit. Skipping release.');
                         core.setOutput('level', 'none');
                         return;
                       }
 
-                      const labels = (mergedPr.labels ?? []).map(label => label.name);
-                      let level = 'none';
+                      const labels = (mergedPr.labels ?? [])
+                        .map(label => typeof label === 'string' ? label : label.name)
+                        .filter(Boolean);
 
-                      if (labels.includes('release:major')) level = 'major';
-                      else if (labels.includes('release:minor')) level = 'minor';
-                      else if (labels.includes('release:patch')) level = 'patch';
+                      const selectedLabel = orderedLabels.find(label => labels.includes(label)) ?? null;
+                      const level = selectedLabel ? levelByLabel[selectedLabel] : 'none';
 
                       core.info(`Merged PR: #${mergedPr.number} (${mergedPr.html_url})`);
                       core.info(`Labels: ${labels.join(', ') || '(none)'}`);

diff --git a/.github/workflows/dependabot-automerge-pi-patch.yml b/.github/workflows/dependabot-automerge-pi-patch.yml
@@ -1,28 +1,35 @@
-name: Dependabot automerge (Pi)
+name: Dependabot Pi patch
 
 on:
   pull_request_target:
-    types: [opened, synchronize, reopened, labeled]
+    types: [opened, synchronize, reopened]
 
 permissions:
   contents: write
   pull-requests: write
 
 jobs:
-  automerge:
+  patch:
     if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
 
     steps:
-      - name: Fetch Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      - name: Enable auto-merge for Pi updates
-        if: contains(steps.metadata.outputs.dependency-names, '@mariozechner/pi-coding-agent')
+      - name: Apply patch release label
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: gh pr edit "$PR_URL" --add-label "release:patch"
+
+      - name: Enable auto-merge
+        env:
+          GH_TOKEN: ${{ secrets.BKPER_AUTOMERGE_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          set -euo pipefail
+
+          if [[ -z "${GH_TOKEN:-}" ]]; then
+            echo "BKPER_AUTOMERGE_TOKEN secret is required to enable Dependabot auto-merge without suppressing the downstream main push release workflow."
+            exit 1
+          fi
+
+          gh pr merge --auto --squash "$PR_URL"
diff --git a/.github/workflows/dependabot-release-labels.yml b/.github/workflows/dependabot-release-labels.yml
diff --git a/README.md b/README.md
@@ -912,16 +912,3 @@ Bkper.setConfig({
     oauthTokenProvider: async () => getOAuthToken(),
 });
 ```
-
-## Documentation
-
--   [Developer Docs]
--   [App Template]
-
-## Release process (maintainers)
-
-Releases are published by GitHub Actions (Trusted Publisher with OIDC), not from local machines.
-
--   Merge a PR into `main` with one release label: `release:patch`, `release:minor`, or `release:major`
--   On `main` push, CI determines the merged PR label, bumps `package.json` version, tags, and publishes to npm
--   Without a release label, publish is skipped