fix(ci): harden release workflows against PAT checkout failures

This commit is contained in:
Tam Nhu Tran
2026-03-02 21:33:21 +07:00
parent 78d58a4a91
commit b35c85d308
3 changed files with 19 additions and 8 deletions
+13 -4
View File
@@ -3,6 +3,11 @@ name: Dev Release
on:
push:
branches: [dev]
workflow_dispatch:
concurrency:
group: dev-release-${{ github.ref }}
cancel-in-progress: false
jobs:
release:
@@ -21,7 +26,8 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.PAT_TOKEN }}
# Prefer PAT when available (workflow-trigger compatibility), but never hard-fail when PAT is missing/expired.
token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }}
- name: Setup Bun
uses: oven-sh/setup-bun@v2
@@ -42,15 +48,18 @@ jobs:
- name: Build
run: bun run build:all
- name: Validate (typecheck + lint + format + maintainability [strict] + tests)
- name: Validate (typecheck + lint + format + maintainability [warn] + tests)
env:
# Dev channel should surface maintainability regressions without blocking every merge.
CCS_MAINTAINABILITY_MODE: warn
run: bun run validate
- name: Release
id: release
env:
HUSKY: 0
# Use built-in GITHUB_TOKEN for bot identity on comments/releases
# PAT_TOKEN is only used for checkout (to trigger downstream workflows)
# Use built-in GITHUB_TOKEN for release + issue operations.
# Checkout credentials are resolved above with PAT fallback.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+4 -3
View File
@@ -20,7 +20,8 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.PAT_TOKEN }}
# Prefer PAT when available (workflow-trigger compatibility), but never hard-fail when PAT is missing/expired.
token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }}
- name: Setup Node.js
uses: actions/setup-node@v4
@@ -48,8 +49,8 @@ jobs:
id: release
env:
HUSKY: 0
# Use built-in GITHUB_TOKEN for bot identity on comments/releases
# PAT_TOKEN is only used for checkout (to trigger downstream workflows)
# Use built-in GITHUB_TOKEN for release + issue operations.
# Checkout credentials are resolved above with PAT fallback.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+2 -1
View File
@@ -20,7 +20,8 @@ jobs:
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.PAT_TOKEN }}
# Prefer PAT when available, but fall back to built-in token to avoid hard dependency on PAT rotation.
token: ${{ secrets.PAT_TOKEN != '' && secrets.PAT_TOKEN || github.token }}
- name: Configure Git
run: |