diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 646fde9..0d40588 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -10,9 +10,16 @@ jobs: tag: runs-on: ubuntu-latest steps: + - name: Verify RELEASE_TOKEN is configured + run: | + if [ -z "${{ secrets.RELEASE_TOKEN }}" ]; then + echo "::error::RELEASE_TOKEN secret is not configured. Tags pushed with the default GITHUB_TOKEN cannot trigger the Release workflow." + exit 1 + fi - uses: actions/checkout@v4 with: fetch-depth: 0 + token: ${{ secrets.RELEASE_TOKEN }} - name: Check for version bump id: version run: | @@ -51,5 +58,3 @@ jobs: echo "Failed to push tag $TAG" exit 1 fi - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 1892414..5684500 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Docker dependency cache now survives version-only bumps by normalizing the root package version in a preparatory build stage. +### Fixed +- Auto Tag workflow now uses `RELEASE_TOKEN` instead of `GITHUB_TOKEN` so the pushed tag triggers the Release workflow. Tags pushed by the default `GITHUB_TOKEN` do not trigger other workflows (GitHub Actions security feature). + ## [1.3.0] - 2026-03-12 ### Added diff --git a/Cargo.lock b/Cargo.lock index dbb6c8a..23a52f6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -989,7 +989,7 @@ dependencies = [ [[package]] name = "initium" -version = "1.3.0" +version = "1.3.1" dependencies = [ "base64 0.22.1", "clap", diff --git a/Cargo.toml b/Cargo.toml index 6926259..75799f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "initium" -version = "1.3.0" +version = "1.3.1" edition = "2021" rust-version = "1.88" authors = ["Kitstream "]