Skip to content

ci(release): use RELEASE_PAT so Publish workflow auto-fires#98

Merged
telivity-otaip merged 1 commit into
mainfrom
fix/release-pat-trigger
May 6, 2026
Merged

ci(release): use RELEASE_PAT so Publish workflow auto-fires#98
telivity-otaip merged 1 commit into
mainfrom
fix/release-pat-trigger

Conversation

@telivity-otaip
Copy link
Copy Markdown
Collaborator

@telivity-otaip telivity-otaip commented May 6, 2026

Summary

The Release workflow's gh release create call was authenticated with the default GITHUB_TOKEN. GitHub Actions intentionally does not trigger downstream workflows for events fired by GITHUB_TOKEN — that's why the Publish-to-npm workflow has never auto-fired off the release: published event for v0.7.0 or v0.7.1. Both releases sat on GitHub until someone manually clicked "Run workflow" on Publish.

This PR switches the create-release step to a Personal Access Token (RELEASE_PAT secret), which makes the event "user-fired" and propagates it to downstream workflows.

Behaviour

  • RELEASE_PAT set → release creation propagates → Publish workflow auto-fires → packages reach npm with no manual intervention.
  • RELEASE_PAT unset → falls back to GITHUB_TOKEN. Release still gets created (so the workflow doesn't break), but Publish stays manual. This keeps the workflow functional during the brief window between merging this PR and adding the secret.

One-time setup (repo admin)

  1. Create a fine-grained PAT at https://github.com/settings/personal-access-tokens/new:
    • Repository access: telivity-otaip/otaip only.
    • Permissions → Repository permissions → set Contents: Read and write. That's the only scope needed for gh release create.
    • Expiration: pick a value you'll remember to rotate (90 days is reasonable).
  2. Copy the token.
  3. In the repo: Settings → Secrets and variables → Actions → New repository secret → name RELEASE_PAT, value the PAT.

After the secret is set, the next release PR you merge will auto-publish.

Why not GITHUB_TOKEN

Per the GitHub Actions docs:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs.

Sensible default for most repos; problem for ours specifically because we want the release event to fan out.

Alternatives considered

  • workflow_call chain — refactor Publish into a reusable workflow and have Release call it directly. Avoids the PAT but couples the two workflows; both would need to live in the same repo and the manual Publish trigger becomes more awkward. Rejected as more invasive than necessary.
  • gh workflow run publish.yml as a final step in Release — works without a PAT, but loses the GitHub-native release-event trigger model and complicates retries.

The PAT approach is the standard fix and minimal-touch.

Test plan

  • One-line wiring change with a fallback so unconfigured environments don't break.
  • After merge: admin adds RELEASE_PAT secret.
  • Next release PR (v0.7.2) merges → Release runs → Publish auto-fires → npm view @otaip/core version returns 0.7.2 without manual intervention.

🤖 Generated with Claude Code

@claude
ci(release): use RELEASE_PAT so Publish workflow auto-fires
509b95d 
The Release workflow's gh release create call was authenticated with
the default GITHUB_TOKEN. GitHub Actions intentionally does not
trigger downstream workflows for events fired by GITHUB_TOKEN, which
is why the Publish-to-npm workflow has never auto-fired off the
release: published event for v0.7.0 or v0.7.1 — packages only made
it to npm when someone clicked "Run workflow" by hand.

Switch to a Personal Access Token (RELEASE_PAT secret) so the event
is "user-fired" and propagates. Falls back to GITHUB_TOKEN when
RELEASE_PAT isn't set, so the release still gets created — but in
that fallback path Publish stays manual.

Setup needed (one-time, repo admin):
- Generate a fine-grained PAT scoped to this repo with
  `Contents: write` permission.
- Add it as the `RELEASE_PAT` repository secret.

After that, every merged release-PR auto-publishes to npm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@telivity-otaip telivity-otaip merged commit 9615d85 into main May 6, 2026
1 check passed
@telivity-otaip telivity-otaip deleted the fix/release-pat-trigger branch May 6, 2026 18:38
@telivity-otaip telivity-otaip mentioned this pull request May 7, 2026
Merged
3 tasks
ntbpy pushed a commit to ntbpy/AI_Agent_otaip that referenced this pull request May 11, 2026
@claude
chore(release): v0.7.2 — Duffel Cars + auto-publish + post-TelivityAI#93
28f0a4d 
 fix

Patch bump off v0.7.1. Three pieces:

- TelivityAI#99 @otaip/adapter-duffel adds Cars (search → quote → book → get
  → cancel) under /cars/. Same Bearer auth, AbortSignal threading
  on request(). 8 open DOMAIN_QUESTIONs captured in
  docs/knowledge-base/cars.md.
- TelivityAI#97 unbreaks the Release workflow's Count agents step that TelivityAI#93's
  CLI re-export indirection broke. Every push-to-main since TelivityAI#93
  had been failing silently — that's why v0.7.1's tag was created
  but the workspace npm bumps lagged behind for a while.
- TelivityAI#98 switches gh release create to RELEASE_PAT so the
  release: published event propagates to the Publish workflow.
  This is the first release that should auto-publish to npm
  without a manual workflow_dispatch.

Workspace-wide bump: 17 package.json files 0.7.1 → 0.7.2
(@otaip/adapter-duffel was already at 0.7.2 from TelivityAI#99). Going
forward, the next release is v0.7.3.

See CHANGELOG.md for details.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@telivity-otaip