Skip to content

ci(release): use fine-grained PAT for branch protection bypass #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k-chrispens merged 1 commit into from
Mar 21, 2026
Merged

ci(release): use fine-grained PAT for branch protection bypass #183

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,20 +20,21 @@ jobs:
ref: ${{ github.ref_name }}
fetch-depth: 0
fetch-tags: true
token: ${{ secrets.RELEASE_TOKEN }}
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout persists the provided token into the local git config by default. Since this is now a fine‑grained PAT, it would be safer/clearer to either (a) set persist-credentials: false if subsequent steps don't need git-remote auth, or (b) add an inline note that persisting credentials is intentional (because the workflow needs to push commits/tags) and that RELEASE_TOKEN should be minimally scoped/rotated.

Suggested change
token: ${{ secrets.RELEASE_TOKEN }}
token: ${{ secrets.RELEASE_TOKEN }}
persist-credentials: false

Copilot uses AI. Check for mistakes.

- run: git reset --hard ${{ github.sha }}

- name: Semantic Release
id: release
uses: python-semantic-release/python-semantic-release@v10.5.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.RELEASE_TOKEN }}
git_committer_name: "github-actions"
Comment on lines 30 to 32
Copy link

Copilot AI Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow now depends on a new RELEASE_TOKEN secret, but there’s no indication in-file of why GITHUB_TOKEN is insufficient or what permissions the PAT must have. Consider adding a short YAML comment near this input documenting the intent (branch-protection bypass) and the minimal fine-grained PAT permissions required so future maintainers can recreate/rotate it without trial-and-error.

Copilot uses AI. Check for mistakes.
git_committer_email: "actions@users.noreply.github.com"

- name: Publish to GitHub Releases
if: steps.release.outputs.released == 'true'
uses: python-semantic-release/publish-action@v10.5.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
github_token: ${{ secrets.RELEASE_TOKEN }}
tag: ${{ steps.release.outputs.tag }}
Loading