Task Summary
`.github/workflows/direct-backport-push.yml` cherry-picks a squash-merged commit from `main` onto a release branch (e.g. `release/v1.1.0-incubating`) and pushes it. The push currently uses the default `GITHUB_TOKEN`, so the resulting push to the release branch does not retrigger workflows that run on push to release branches (post-merge CI on the release branch). The cherry-pick lands silently with no CI signal.
Why this matters
After enabling CI for release branches (#4594) and the post-merge backport flow (#4580), we still don't get CI runs on backport commits because `GITHUB_TOKEN`-authored pushes are explicitly excluded from triggering downstream workflows. Without CI on backport commits, regressions on the release branch can go unnoticed until a release-candidate build.
Proposed Next Step
Use a fine-grained PAT (repo secret `AUTO_MERGE_TOKEN`, same one we'll use for the AutoQueue stand-in workflow) for the `actions/checkout@v5` step in the `push-backports` job. Falls back to `GITHUB_TOKEN` when the secret is unset (keeps current behavior on forks).
Specifically, in `.github/workflows/direct-backport-push.yml` push-backports job:
```yaml
- name: Checkout main
uses: actions/checkout@v5
with:
fetch-depth: 0
token: ${{ secrets.AUTO_MERGE_TOKEN || secrets.GITHUB_TOKEN }}
```
Priority
P2 – Medium
Task Type
Related
Task Summary
`.github/workflows/direct-backport-push.yml` cherry-picks a squash-merged commit from `main` onto a release branch (e.g. `release/v1.1.0-incubating`) and pushes it. The push currently uses the default `GITHUB_TOKEN`, so the resulting push to the release branch does not retrigger workflows that run on push to release branches (post-merge CI on the release branch). The cherry-pick lands silently with no CI signal.
Why this matters
After enabling CI for release branches (#4594) and the post-merge backport flow (#4580), we still don't get CI runs on backport commits because `GITHUB_TOKEN`-authored pushes are explicitly excluded from triggering downstream workflows. Without CI on backport commits, regressions on the release branch can go unnoticed until a release-candidate build.
Proposed Next Step
Use a fine-grained PAT (repo secret `AUTO_MERGE_TOKEN`, same one we'll use for the AutoQueue stand-in workflow) for the `actions/checkout@v5` step in the `push-backports` job. Falls back to `GITHUB_TOKEN` when the secret is unset (keeps current behavior on forks).
Specifically, in `.github/workflows/direct-backport-push.yml` push-backports job:
```yaml
uses: actions/checkout@v5
with:
fetch-depth: 0
token: ${{ secrets.AUTO_MERGE_TOKEN || secrets.GITHUB_TOKEN }}
```
Priority
P2 – Medium
Task Type
Related