Files
ccs/.github/workflows/release.yml
T
Tam Nhu Tran 343c36f97d ci(release): use PAT_TOKEN for semantic-release branch protection bypass
semantic-release needs to push version bump + CHANGELOG commits directly
to main. GITHUB_TOKEN cannot bypass branch protection rules, causing
@semantic-release/git to fail with "push declined due to repository rule
violations". PAT_TOKEN has admin bypass and resolves the issue.
2026-03-04 01:42:29 +07:00

112 lines
3.9 KiB
YAML

name: Release
on:
push:
branches: [main]
workflow_dispatch:
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
# PAT_TOKEN required: semantic-release pushes version bump commits to main,
# which needs branch protection bypass. github.token cannot push to protected branches.
token: ${{ secrets.PAT_TOKEN }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: '1.3.9'
- name: Install dependencies
run: |
bun install --frozen-lockfile
cd ui && bun install --frozen-lockfile
- name: Build package
run: bun run build:all
- name: Validate (typecheck + lint + format + maintainability [strict] + tests)
run: bun run validate
- name: Release
id: release
env:
HUSKY: 0
# PAT_TOKEN bypasses branch protection so semantic-release can push
# version bump + CHANGELOG commits directly to main
GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
GH_TOKEN: ${{ secrets.PAT_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
OUTPUT=$(bunx semantic-release 2>&1) || true
echo "$OUTPUT"
if echo "$OUTPUT" | grep -q "Published release"; then
echo "released=true" >> $GITHUB_OUTPUT
else
echo "released=false" >> $GITHUB_OUTPUT
fi
- name: Notify Discord
if: success() && steps.release.outputs.released == 'true'
env:
DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
run: |
if [ -z "$DISCORD_WEBHOOK_URL" ]; then
echo "DISCORD_WEBHOOK_URL not set, skipping"
exit 0
fi
node scripts/send-discord-release.cjs production "$DISCORD_WEBHOOK_URL"
- name: Cleanup labels and close released issues
if: success() && steps.release.outputs.released == 'true'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# semantic-release already adds "released" label via .releaserc.cjs
# This step removes transitional labels and closes issues now in stable.
# Find issues with both "released" and "released-dev" labels
ISSUES=$(gh issue list --label "released" --label "released-dev" --state all --json number --jq '.[].number' 2>/dev/null || echo "")
for NUM in $ISSUES; do
echo "Cleaning up labels on issue #$NUM"
gh issue edit "$NUM" --remove-label "released-dev" --remove-label "pending-release" --repo "${{ github.repository }}" 2>/dev/null || true
done
# Also clean pending-release from any issues with released label
PENDING=$(gh issue list --label "released" --label "pending-release" --state all --json number --jq '.[].number' 2>/dev/null || echo "")
for NUM in $PENDING; do
echo "Removing pending-release from issue #$NUM"
gh issue edit "$NUM" --remove-label "pending-release" --repo "${{ github.repository }}" 2>/dev/null || true
done
# Close open issues that are marked as released
OPEN_RELEASED=$(gh issue list --label "released" --state open --json number --jq '.[].number' 2>/dev/null || echo "")
for NUM in $OPEN_RELEASED; do
echo "Closing released issue #$NUM"
gh issue close "$NUM" \
--comment "[bot] Closing issue because this fix/feature is now in stable release (@latest)." \
--repo "${{ github.repository }}" || true
done