From fd90d712e393ddca2a1e75e7666722c5896c5d9f Mon Sep 17 00:00:00 2001 From: Matt Paletta Date: Mon, 29 Jun 2026 10:47:46 +0100 Subject: [PATCH] fix(ci): use built-in GITHUB_TOKEN for release instead of PAT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Release workflow failed at the actions/checkout step (`could not read Username`) because the GH_TOKEN PAT is no longer a valid credential. Rather than maintaining a PAT, grant the job the permissions it needs (contents + pull-requests write) and use the token GitHub generates automatically — the same approach the passing test/e2e workflows already rely on. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 356fa2d..556b41e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,12 +7,14 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout code uses: actions/checkout@v7 with: fetch-depth: 0 - token: ${{ secrets.GH_TOKEN }} - name: Get tags run: git fetch --tags origin - name: Install Node Dependencies @@ -29,7 +31,7 @@ jobs: commit: 'Release new version' version: npm run version env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create new release if: steps.changesets.outputs.hasChangesets == 'false' run: | @@ -37,7 +39,7 @@ jobs: COMMIT_TAG=$(git tag --points-at HEAD) if [ -n "$COMMIT_TAG" ]; then echo "A tag is attached to HEAD. Creating a new release..." - echo "${{ secrets.GH_TOKEN }}" | gh auth login --with-token + echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token CHANGELOG=$(awk ' BEGIN { recording=0; } /^## / {