From 6c5d8b99ec59f2dda7eb757faeaa7aae350f402c Mon Sep 17 00:00:00 2001
From: Buffrr <contact@buffrr.dev>
Date: Fri, 17 Apr 2026 18:54:53 +0200
Subject: [PATCH] ci: use RELEASE_PLZ_TOKEN so release tags trigger binding
 workflows

The default GITHUB_TOKEN cannot trigger other workflows. Use a PAT
(stored as RELEASE_PLZ_TOKEN) for the release job so the libveritas-v*
tags it pushes fan out to the npm/pypi/kotlin/swift/react-native/go
publish workflows.
---
 .github/workflows/release-plz.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
index e467cdb..e403130 100644
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@@ -31,6 +31,9 @@ jobs:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
 
   # Tags + publishes to crates.io when a release commit lands on main.
+  # Uses RELEASE_PLZ_TOKEN (PAT with `repo` scope) so the pushed tags
+  # trigger downstream binding publish workflows. The default GITHUB_TOKEN
+  # cannot trigger other workflows.
   release-plz-release:
     name: Release-plz publish
     runs-on: ubuntu-latest
@@ -39,11 +42,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ secrets.RELEASE_PLZ_TOKEN }}
       - uses: dtolnay/rust-toolchain@stable
       - name: Run release-plz
         uses: release-plz/action@v0.5
         with:
           command: release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_TOKEN }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}