mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-19 06:18:11 +00:00
fix(ci): use PAT token for dev release pushes
- align dev-release workflow with protected-branch bypass used by release.yml - add a workflow regression test so checkout and release auth do not drift back to github.token
This commit is contained in:
@@ -26,8 +26,9 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
ref: dev
|
ref: dev
|
||||||
# Always use the built-in workflow token; PAT rotation/breakage must not block dev releases.
|
# PAT_TOKEN required: dev-release pushes version bump commits to dev,
|
||||||
token: ${{ github.token }}
|
# and protected branches reject github.token writes once status checks are required.
|
||||||
|
token: ${{ secrets.PAT_TOKEN }}
|
||||||
|
|
||||||
- name: Setup Bun
|
- name: Setup Bun
|
||||||
uses: oven-sh/setup-bun@v2
|
uses: oven-sh/setup-bun@v2
|
||||||
@@ -58,10 +59,10 @@ jobs:
|
|||||||
id: release
|
id: release
|
||||||
env:
|
env:
|
||||||
HUSKY: 0
|
HUSKY: 0
|
||||||
# Use built-in GITHUB_TOKEN for release + issue operations.
|
# PAT_TOKEN bypasses branch protection so the workflow can push
|
||||||
# Checkout credentials are resolved above with PAT fallback.
|
# the dev release commit and tag back to the protected dev branch.
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
|
||||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GH_TOKEN: ${{ secrets.PAT_TOKEN }}
|
||||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -0,0 +1,34 @@
|
|||||||
|
import { describe, expect, test } from 'bun:test';
|
||||||
|
import * as fs from 'node:fs';
|
||||||
|
import * as path from 'node:path';
|
||||||
|
|
||||||
|
function resolvePath(relativePath: string) {
|
||||||
|
return path.resolve(import.meta.dir, relativePath);
|
||||||
|
}
|
||||||
|
|
||||||
|
describe('dev release workflow', () => {
|
||||||
|
test('uses PAT_TOKEN for protected dev branch release pushes', () => {
|
||||||
|
const workflowPath = resolvePath('../../../../.github/workflows/dev-release.yml');
|
||||||
|
|
||||||
|
expect(fs.existsSync(workflowPath)).toBe(true);
|
||||||
|
|
||||||
|
const workflow = fs.readFileSync(workflowPath, 'utf8');
|
||||||
|
const checkoutSection = workflow.slice(
|
||||||
|
workflow.indexOf('- name: Checkout'),
|
||||||
|
workflow.indexOf('- name: Setup Bun')
|
||||||
|
);
|
||||||
|
const releaseSection = workflow.slice(
|
||||||
|
workflow.indexOf('- name: Release'),
|
||||||
|
workflow.indexOf('- name: Notify Discord')
|
||||||
|
);
|
||||||
|
|
||||||
|
expect(workflow).toContain('name: Dev Release');
|
||||||
|
expect(workflow).toContain('branches: [dev]');
|
||||||
|
expect(checkoutSection).toContain("token: ${{ secrets.PAT_TOKEN }}");
|
||||||
|
expect(checkoutSection).not.toContain('token: ${{ github.token }}');
|
||||||
|
expect(releaseSection).toContain('GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}');
|
||||||
|
expect(releaseSection).toContain('GH_TOKEN: ${{ secrets.PAT_TOKEN }}');
|
||||||
|
expect(releaseSection).not.toContain('GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}');
|
||||||
|
expect(releaseSection).not.toContain('GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}');
|
||||||
|
});
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user