diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae8b97d9..8d44855a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,9 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - # Always use the built-in workflow token; PAT rotation/breakage must not block releases. - token: ${{ github.token }} + # PAT_TOKEN required: semantic-release pushes version bump commits to main, + # which needs branch protection bypass. github.token cannot push to protected branches. + token: ${{ secrets.PAT_TOKEN }} - name: Setup Node.js uses: actions/setup-node@v4 @@ -49,10 +50,10 @@ jobs: id: release env: HUSKY: 0 - # Use built-in GITHUB_TOKEN for release + issue operations. - # Checkout credentials are resolved above with PAT fallback. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # PAT_TOKEN bypasses branch protection so semantic-release can push + # version bump + CHANGELOG commits directly to main + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + GH_TOKEN: ${{ secrets.PAT_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: |