fix(ci): use ACTIONS_PAT for main-release-marker push#18
Open
FedeZara wants to merge 1 commit into
Open
Conversation
The main-release-marker job's `git push origin main` is rejected by
branch protection (GH006: protected branch update failed, "Changes
must be made through a pull request"). This means the per-action
`<action>/RELEASES.md` ledger entries never land on main, and the
`chore(release): <action>@<version>` markers we designed for searchable
release history on main are silently dropped each release.
Fix mirrors fern's release-software.yml pattern: pass an `ACTIONS_PAT`
to actions/checkout so subsequent git operations authenticate as a
user/app that's been added to main's branch-protection bypass
allowlist. Falls back to GITHUB_TOKEN when ACTIONS_PAT isn't set, so
the existing "best-effort with warning" behavior is preserved for
anyone running the workflow without the PAT configured.
Operator action required to make this actually work:
1. Generate a fine-grained PAT (Contents: read and write on this repo)
under a user account that has bypass access for main's protection
rule. Same setup fern already uses.
2. Add it as `ACTIONS_PAT` repo secret in fern-api/actions.
The release workflow itself is unchanged in behavior when ACTIONS_PAT
is missing — it still releases successfully and logs the marker-push
warning.
Documents ACTIONS_PAT in CONTRIBUTING.md alongside the other required
secrets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The release workflow's
main-release-markerstep triesgit push origin mainto land thechore(release): <action>@<version>ledger commit. That push is rejected by main's branch protection:Confirmed in run 25934187071 (release of
preview@v0.0.1-ci-test). The release itself succeeded — only the ledger commit was dropped, exactly as designed for the "best-effort marker" semantics. But that means<action>/RELEASES.mdnever gets populated on main, defeating the whole point of having the ledger.Fix
Mirror fern's release-software.yml pattern: pass an
ACTIONS_PATsecret toactions/checkoutso subsequentgit pushcalls authenticate as a user/app with branch-protection bypass.Falls back to
GITHUB_TOKENifACTIONS_PATisn't configured — preserves the current "best-effort with warning" behavior for anyone running the workflow without the PAT.Operator action required
To make the marker step actually push successfully:
fern-api/actions, owned by a user/app that's in main's branch-protection bypass allowlist (the same setup fern already uses forACTIONS_PAT).ACTIONS_PATrepo secret at Settings → Secrets and variables → Actions.If you skip this, the workflow keeps working exactly as it does today — releases succeed, marker push fails with a warning, no
<action>/RELEASES.mdupdates land.Test plan
actionlintcleanACTIONS_PATsecret, dispatch a test release (verify-token@v0.0.1-marker-test, prerelease) and confirm:verify-token/RELEASES.mdlands on main with the new entrychore(release): verify-token@v0.0.1-marker-testcommit shows up ingit log maingithub-actions[bot]ACTIONS_PATisn't added, confirm the workflow still completes "success" overall with just the marker-step warning (regression check on the fallback path)