Skip to content

fix(ci): use built-in GITHUB_TOKEN for Release instead of PAT#60

Merged
matt-evervault merged 1 commit into
masterfrom
fix/release-use-github-token
Jun 29, 2026
Merged

fix(ci): use built-in GITHUB_TOKEN for Release instead of PAT#60
matt-evervault merged 1 commit into
masterfrom
fix/release-use-github-token

Conversation

@matt-evervault

Copy link
Copy Markdown
Contributor

Problem

Every Release run fails at the actions/checkout step:

fatal: could not read Username for 'https://github.com': terminal prompts disabled

The workflow checks out with token: ${{ secrets.GH_TOKEN }}, and that PAT is no longer a valid credential (rotation didn't resolve it). The run-tests/e2e workflows pass on the same commits because they use the default GitHub-generated token.

Change

Applying the review suggestion: drop the PAT and use the token GitHub generates, granting the job only the permissions it needs.

  • Add a job-level permissions block: contents: write (push tags / version commits / create release) and pull-requests: write (changesets opens the "New Release" PR).
  • Remove token: from checkout so it uses the default github.token.
  • Point the changesets action env and the gh auth login in the release step at ${{ secrets.GITHUB_TOKEN }}.

Tradeoff

Commits/PRs created with the built-in GITHUB_TOKEN do not trigger downstream workflows. So the changesets "New Release" PR won't auto-run run-tests/e2e — they'll run once a human pushes to or merges that branch. This is the documented changesets reason a PAT is sometimes used; the review accepts it.

Verification

Merging to master triggers Release; getting past checkout (where every prior run died) confirms the fix.

🤖 Generated with Claude Code

The Release workflow failed at the actions/checkout step
(`could not read Username`) because the GH_TOKEN PAT is no longer a
valid credential. Rather than maintaining a PAT, grant the job the
permissions it needs (contents + pull-requests write) and use the
token GitHub generates automatically — the same approach the passing
test/e2e workflows already rely on.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@changeset-bot

changeset-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: fd90d71

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@matt-evervault matt-evervault merged commit 09d194c into master Jun 29, 2026
10 checks passed
@matt-evervault matt-evervault deleted the fix/release-use-github-token branch June 29, 2026 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants