ci(release): use PAT_TOKEN for semantic-release branch protection bypass

semantic-release needs to push version bump + CHANGELOG commits directly
to main. GITHUB_TOKEN cannot bypass branch protection rules, causing
@semantic-release/git to fail with "push declined due to repository rule
violations". PAT_TOKEN has admin bypass and resolves the issue.
This commit is contained in:
Tam Nhu Tran
2026-03-04 01:52:11 +07:00
parent d7d9eb0891
commit 91280e3043
+7 -6
View File
@@ -20,8 +20,9 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
# Always use the built-in workflow token; PAT rotation/breakage must not block releases.
token: ${{ github.token }}
# PAT_TOKEN required: semantic-release pushes version bump commits to main,
# which needs branch protection bypass. github.token cannot push to protected branches.
token: ${{ secrets.PAT_TOKEN }}
- name: Setup Node.js
uses: actions/setup-node@v4
@@ -49,10 +50,10 @@ jobs:
id: release
env:
HUSKY: 0
# Use built-in GITHUB_TOKEN for release + issue operations.
# Checkout credentials are resolved above with PAT fallback.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# PAT_TOKEN bypasses branch protection so semantic-release can push
# version bump + CHANGELOG commits directly to main
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
GH_TOKEN: ${{ secrets.PAT_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |