From 49e5741171bb11ba53f9df7963d7c7d28e4a43fb Mon Sep 17 00:00:00 2001 From: Roman Lemekha Date: Fri, 26 Jun 2026 13:34:24 +0200 Subject: [PATCH] fix: use PAT for release-please so its PR triggers the required check The default GITHUB_TOKEN cannot trigger pull_request workflows (GitHub loop-prevention), so the release PR never got a `zizmor` run and stayed permanently BLOCKED under branch protection. Pass RELEASE_PLEASE_TOKEN (a fine-grained PAT scoped to this repo: contents + pull-requests write) to the action and the auto-merge step so the release PR triggers zizmor and can auto-merge on green. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release-please.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index be2d839..2a39b5a 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -25,6 +25,11 @@ jobs: - id: release uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 with: + # A PAT (not the default GITHUB_TOKEN) so the release PR it opens + # triggers pull_request workflows — the required `zizmor` check only + # runs on PRs, and a PR opened by GITHUB_TOKEN does not trigger it, + # which would deadlock the required-check gate. + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} config-file: release-please-config.json manifest-file: .release-please-manifest.json @@ -35,7 +40,9 @@ jobs: - name: Enable auto-merge for non-major release PRs if: ${{ steps.release.outputs.prs_created == 'true' }} env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Same PAT as above so enabling auto-merge is attributed consistently + # and has pull-request write on this repo. + GH_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }} PRS: ${{ steps.release.outputs.prs }} run: | set -euo pipefail