From 343c36f97d949dfb85ee92a7161c60197413cf11 Mon Sep 17 00:00:00 2001 From: Tam Nhu Tran Date: Wed, 4 Mar 2026 01:42:29 +0700 Subject: [PATCH] ci(release): use PAT_TOKEN for semantic-release branch protection bypass semantic-release needs to push version bump + CHANGELOG commits directly to main. GITHUB_TOKEN cannot bypass branch protection rules, causing @semantic-release/git to fail with "push declined due to repository rule violations". PAT_TOKEN has admin bypass and resolves the issue. --- .github/workflows/release.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae8b97d9..8d44855a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,9 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - # Always use the built-in workflow token; PAT rotation/breakage must not block releases. - token: ${{ github.token }} + # PAT_TOKEN required: semantic-release pushes version bump commits to main, + # which needs branch protection bypass. github.token cannot push to protected branches. + token: ${{ secrets.PAT_TOKEN }} - name: Setup Node.js uses: actions/setup-node@v4 @@ -49,10 +50,10 @@ jobs: id: release env: HUSKY: 0 - # Use built-in GITHUB_TOKEN for release + issue operations. - # Checkout credentials are resolved above with PAT fallback. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # PAT_TOKEN bypasses branch protection so semantic-release can push + # version bump + CHANGELOG commits directly to main + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + GH_TOKEN: ${{ secrets.PAT_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: |