From b35c85d308ef2ddff8f04e46bd005eae5983bc91 Mon Sep 17 00:00:00 2001 From: Tam Nhu Tran Date: Mon, 2 Mar 2026 21:33:21 +0700 Subject: [PATCH] fix(ci): harden release workflows against PAT checkout failures --- .github/workflows/dev-release.yml | 17 +++++++++++++---- .github/workflows/release.yml | 7 ++++--- .github/workflows/sync-dev-after-release.yml | 3 ++- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml index 35db2a30..09051a3c 100644 --- a/.github/workflows/dev-release.yml +++ b/.github/workflows/dev-release.yml @@ -3,6 +3,11 @@ name: Dev Release on: push: branches: [dev] + workflow_dispatch: + +concurrency: + group: dev-release-${{ github.ref }} + cancel-in-progress: false jobs: release: @@ -21,7 +26,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ secrets.PAT_TOKEN }} + # Prefer PAT when available (workflow-trigger compatibility), but never hard-fail when PAT is missing/expired. + token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }} - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -42,15 +48,18 @@ jobs: - name: Build run: bun run build:all - - name: Validate (typecheck + lint + format + maintainability [strict] + tests) + - name: Validate (typecheck + lint + format + maintainability [warn] + tests) + env: + # Dev channel should surface maintainability regressions without blocking every merge. + CCS_MAINTAINABILITY_MODE: warn run: bun run validate - name: Release id: release env: HUSKY: 0 - # Use built-in GITHUB_TOKEN for bot identity on comments/releases - # PAT_TOKEN is only used for checkout (to trigger downstream workflows) + # Use built-in GITHUB_TOKEN for release + issue operations. + # Checkout credentials are resolved above with PAT fallback. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1d91bfe3..66767059 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,7 +20,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ secrets.PAT_TOKEN }} + # Prefer PAT when available (workflow-trigger compatibility), but never hard-fail when PAT is missing/expired. + token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }} - name: Setup Node.js uses: actions/setup-node@v4 @@ -48,8 +49,8 @@ jobs: id: release env: HUSKY: 0 - # Use built-in GITHUB_TOKEN for bot identity on comments/releases - # PAT_TOKEN is only used for checkout (to trigger downstream workflows) + # Use built-in GITHUB_TOKEN for release + issue operations. + # Checkout credentials are resolved above with PAT fallback. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/sync-dev-after-release.yml b/.github/workflows/sync-dev-after-release.yml index 48495fe6..f48a44eb 100644 --- a/.github/workflows/sync-dev-after-release.yml +++ b/.github/workflows/sync-dev-after-release.yml @@ -20,7 +20,8 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - token: ${{ secrets.PAT_TOKEN }} + # Prefer PAT when available, but fall back to built-in token to avoid hard dependency on PAT rotation. + token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }} - name: Configure Git run: |