From 1c8506ec3b1c2b96959685e7d495cb5a6112ffa6 Mon Sep 17 00:00:00 2001 From: Kumar Pratyush Date: Mon, 15 Jun 2026 19:48:42 +0530 Subject: [PATCH 1/4] ci: use RELEASE_PAT for tag push to allow release-package-helm to trigger GitHub Actions blocks downstream workflow triggers when GITHUB_TOKEN is used to push. Switching checkout to use RELEASE_PAT so the tag push fires the release-package-helm workflow automatically. Requires RELEASE_PAT secret with repo scope to be set in repository settings. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/create-release-tag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/create-release-tag.yml b/.github/workflows/create-release-tag.yml index 4d852b0f..6e576a82 100644 --- a/.github/workflows/create-release-tag.yml +++ b/.github/workflows/create-release-tag.yml @@ -25,6 +25,7 @@ jobs: with: fetch-depth: 0 ref: main + token: ${{ secrets.RELEASE_PAT }} - name: Validate and normalize version id: version From 83e717530c49f2ba53d9078b522a05f1c70110e4 Mon Sep 17 00:00:00 2001 From: Kumar Pratyush Date: Mon, 15 Jun 2026 19:57:24 +0530 Subject: [PATCH 2/4] ci: add workflow_dispatch to release-package-helm for manual triggering Allows manually running the release packaging workflow from the Actions UI, needed for re-running releases when the tag already exists (e.g. v0.2.0). Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/release-package-helm.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/release-package-helm.yml b/.github/workflows/release-package-helm.yml index 61c7dc8d..c5a7819f 100644 --- a/.github/workflows/release-package-helm.yml +++ b/.github/workflows/release-package-helm.yml @@ -13,6 +13,14 @@ on: push: tags: - 'v*.*.*' + workflow_dispatch: + inputs: + old_operator_version: + description: 'OLD OPERATOR VERSION' + required: false + new_operator_version: + description: 'NEW OPERATOR VERSION (e.g. 0.2.0)' + required: true jobs: build-and-push-images: From 7a85641f38ca075107c59e833eadac649e2e7c06 Mon Sep 17 00:00:00 2001 From: Kumar Pratyush Date: Mon, 15 Jun 2026 19:57:41 +0530 Subject: [PATCH 3/4] ci: add type: string to release-package-helm workflow_dispatch inputs Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/release-package-helm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-package-helm.yml b/.github/workflows/release-package-helm.yml index c5a7819f..3900e8b6 100644 --- a/.github/workflows/release-package-helm.yml +++ b/.github/workflows/release-package-helm.yml @@ -18,9 +18,11 @@ on: old_operator_version: description: 'OLD OPERATOR VERSION' required: false + type: string new_operator_version: description: 'NEW OPERATOR VERSION (e.g. 0.2.0)' required: true + type: string jobs: build-and-push-images: From 8b840870d655cbec59adb44617e48ca30982516d Mon Sep 17 00:00:00 2001 From: Kumar Pratyush Date: Mon, 15 Jun 2026 19:59:37 +0530 Subject: [PATCH 4/4] ci: fail fast with clear error if RELEASE_PAT secret is missing Without this check, actions/checkout receives an empty token and fails with an opaque auth error. The pre-check exits immediately with an actionable message pointing to where the secret needs to be configured. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/create-release-tag.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/create-release-tag.yml b/.github/workflows/create-release-tag.yml index 6e576a82..e4da877d 100644 --- a/.github/workflows/create-release-tag.yml +++ b/.github/workflows/create-release-tag.yml @@ -20,6 +20,16 @@ jobs: create-tag: runs-on: ubuntu-latest steps: + - name: Check RELEASE_PAT is configured + run: | + if [[ -z "${{ secrets.RELEASE_PAT }}" ]]; then + echo "❌ RELEASE_PAT secret is not set." + echo "This workflow requires a PAT with 'repo' scope to push the tag and trigger release-package-helm.yml." + echo "Add it under: Settings → Secrets and variables → Actions → New repository secret → RELEASE_PAT" + exit 1 + fi + echo "✅ RELEASE_PAT is configured" + - name: Checkout code uses: actions/checkout@v4 with: