ci(release): bypass main protection via GitHub App token + bump-type input#5
Merged
Merged
Conversation
…input Two changes to .github/workflows/release.yml: 1. Mint an installation token from a dedicated GitHub App (secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY) and use it for both actions/checkout and the final git push. The App is added to the main ruleset's bypass list, so the post-publish commit/tag push can land on protected main. Replaces the previous use of the default GITHUB_TOKEN, which was rejected by branch protection. 2. Replace the free-form `version` string input with a `bump` choice (patch | minor | major). pnpm version <type> --no-git-tag-version computes the new version in lockstep across all 8 packages; we read it back from packages/core/package.json into \$VERSION for the rest of the job. Drops the semver-regex validation step (no longer needed).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mainwas rejected by branch protection on v0.0.4 (GH006: Protected branch update failed), leaving npm published butmainout of sync. The workflow now mints an installation token from a dedicated GitHub App (secretsRELEASE_APP_IDandRELEASE_APP_PRIVATE_KEY) and uses it foractions/checkoutand the finalgit push. The App is added to themainruleset's bypass list.bumpchoice input instead of free-form version string.workflow_dispatchnow exposes abumpchoice (patch/minor/major, defaultpatch).pnpm version <type> --no-git-tag-versionapplies it in lockstep across all 8 packages; the new version is read back frompackages/core/package.jsoninto$VERSIONfor the rest of the job. The semver-regex validation step is gone — no longer needed.