ci: use PAT for release-please to trigger required CI checks#20
Merged
Conversation
PRs opened by GITHUB_TOKEN do not trigger pull_request workflows by
design (GitHub suppresses to prevent infinite loops). With branch
protection requiring test/lint/security status checks on master, the
release PR ends up BLOCKED with no checks ever running.
Configure release-please-action to use RELEASE_PLEASE_PAT when present
so its PRs appear as user-driven events and CI runs normally. Falls
back to GITHUB_TOKEN until the secret is configured, so this change
is safe to merge before the PAT is created.
Setup (manual, one-time):
1. Create a fine-grained PAT scoped to this repo with permissions:
- contents: read/write
- pull_requests: read/write
- workflows: read/write (only needed if release PRs touch workflow
files, which is rare)
2. Add it as repo secret named RELEASE_PLEASE_PAT.
3. Next release PR will trigger CI automatically.
v1.5.0 (PR #15) merged successfully despite this latent issue because
CI was retriggered manually within 11 minutes of PR creation. v1.5.1
(PR #19) surfaced the bug because no manual retrigger happened.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PRs opened by the default
GITHUB_TOKENdo not triggerpull_requestworkflows — GitHub suppresses these events to prevent infinite recursion when one workflow creates a PR that would trigger another. With branch protection onmasterrequiringtest/lint/securitystatus checks, the auto-generatedrelease-pleasePR ends up inBLOCKEDstate with no CI ever running.This is what hit us today on PR #19 (v1.5.1). The previous release PR #15 (v1.5.0) silently dodged the issue because something retriggered CI manually 11 minutes after the PR opened (likely a UI "Update branch" click).
Fix
Pass an explicit PAT to
release-please-actionvia thetoken:input. PRs created with a PAT appear as user-driven events to GitHub, so thepull_requesttrigger fires normally.The
||fallback toGITHUB_TOKENmeans this PR is safe to merge before the secret is configured — the workflow keeps using the legacy behavior until the PAT is added. No disruption.Setup checklist (one-time, after merging this PR)
mlorentedev/ts-bridgeContents: Read and writePull requests: Read and writeWorkflows: Read and write (only if a release PR ever changes a.github/workflows/*file — uncommon)RELEASE_PLEASE_PAT(Settings → Secrets and variables → Actions → New repository secret)Alternatives considered (rejected)
ci.ymltopull_request_targettest/lintjobsmasterTest plan
go vet ./...clean (no Go changes, just the workflow)fix:/feat:to verify the next release PR has CI checks attached at creation time