Background
release.yml's Post-release cleanup into develop job fails at gh pr create with:
pull request create failed: GraphQL: GitHub Actions is not permitted to create or approve pull requests (createPullRequest)
Observed on the v0.2.1 release (run 27687879005). The release itself succeeded — v0.2.1 tag + GitHub Release published, and the cleanup branch chore/release-cleanup-v0.2.1 was pushed — but the cleanup PR could not be opened, so the cleanup had to be merged manually (#251).
#243 added permissions: pull-requests: write to the job, but that is overridden by the repository/org setting Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests", which is currently disabled. The job-level permission cannot grant what the org/repo toggle forbids, so #243's fix was necessary but not sufficient. This will fail on every future release.
Options (pick one)
- Enable the setting (simplest): repo Settings → Actions → General → Workflow permissions → check "Allow GitHub Actions to create and approve pull requests". No code change. (Admin only.)
- Use a PAT: store a fine-grained PAT (or app token) as a secret with
pull-requests: write + contents: write and pass it to the cleanup step's gh / checkout instead of GITHUB_TOKEN. Works even with the org toggle off.
Affected Files
.github/workflows/release.yml (only if option 2 is chosen)- Repository Actions settings (option 1)
Verification Checklist
Definition of Done
- The post-release cleanup PR is created and merged automatically by
release.yml.
Relates to #243.
Background
release.yml's Post-release cleanup into develop job fails atgh pr createwith:Observed on the v0.2.1 release (run 27687879005). The release itself succeeded —
v0.2.1tag + GitHub Release published, and the cleanup branchchore/release-cleanup-v0.2.1was pushed — but the cleanup PR could not be opened, so the cleanup had to be merged manually (#251).#243 added
permissions: pull-requests: writeto the job, but that is overridden by the repository/org setting Settings → Actions → General → Workflow permissions → "Allow GitHub Actions to create and approve pull requests", which is currently disabled. The job-level permission cannot grant what the org/repo toggle forbids, so #243's fix was necessary but not sufficient. This will fail on every future release.Options (pick one)
pull-requests: write+contents: writeand pass it to the cleanup step'sgh/ checkout instead ofGITHUB_TOKEN. Works even with the org toggle off.Affected Files
.github/workflows/release.yml(only if option 2 is chosen)Verification Checklist
chore/release-cleanup-vX.Y.ZPR intodevelopwith no manual step.Definition of Done
release.yml.Relates to #243.