From 03f826f306371046712420084c613a2bd79d3942 Mon Sep 17 00:00:00 2001 From: Corwin Marsh Date: Fri, 8 May 2026 17:42:54 -0700 Subject: [PATCH] Use PAT for changeset release PR updates --- .github/workflows/release.yml | 8 +++++++- README.md | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c07a4d1..f03e659 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,6 +24,10 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + # Avoid persisting the default GITHUB_TOKEN in git config. That token causes + # changeset-release/* pushes and PR updates to skip downstream CI. + persist-credentials: false + token: ${{ secrets.RELEASE_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} - name: Setup Vite+ uses: voidzero-dev/setup-vp@v1 @@ -42,7 +46,9 @@ jobs: title: "chore: release packages" commit: "chore: release packages" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Use a PAT or GitHub App installation token so release PR pushes trigger + # normal pull_request/push workflows on changeset-release/* branches. + GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Published packages summary diff --git a/README.md b/README.md index 4a195ec..6ca8636 100644 --- a/README.md +++ b/README.md @@ -114,4 +114,6 @@ Prefer npm trusted publishing with GitHub Actions OIDC. This workflow already in If you are not using trusted publishing yet, you can instead provide an `NPM_TOKEN` GitHub Actions secret. +To ensure CI runs on the auto-generated `changeset-release/*` PRs, also configure a `RELEASE_GITHUB_TOKEN` secret (PAT or GitHub App installation token) with repository `Contents: Read and write` and `Pull requests: Read and write`. The release workflow falls back to `GITHUB_TOKEN`, but that fallback will not trigger downstream workflows for release PR updates. + The workflow is defined in `.github/workflows/release.yml`.