From 878cfad80a611222fa101deb4b0db964f713b764 Mon Sep 17 00:00:00 2001 From: mikkeldamsgaard Date: Thu, 12 Mar 2026 13:39:37 +0100 Subject: [PATCH 1/3] fix: use RELEASE_TOKEN in auto-tag so tag push triggers release workflow Tags pushed with the default GITHUB_TOKEN do not trigger other workflows (GitHub Actions security feature). Switch to RELEASE_TOKEN (PAT or App token) so the v* tag push triggers the Release workflow. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/auto-tag.yml | 3 ++- CHANGELOG.md | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 646fde9..285657e 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -13,6 +13,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 + token: ${{ secrets.RELEASE_TOKEN }} - name: Check for version bump id: version run: | @@ -52,4 +53,4 @@ jobs: exit 1 fi env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 1892414..5684500 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Docker dependency cache now survives version-only bumps by normalizing the root package version in a preparatory build stage. +### Fixed +- Auto Tag workflow now uses `RELEASE_TOKEN` instead of `GITHUB_TOKEN` so the pushed tag triggers the Release workflow. Tags pushed by the default `GITHUB_TOKEN` do not trigger other workflows (GitHub Actions security feature). + ## [1.3.0] - 2026-03-12 ### Added From e2c43409cd49e58e51eff3ecc65feea54a103bf1 Mon Sep 17 00:00:00 2001 From: mikkeldamsgaard Date: Thu, 12 Mar 2026 14:20:31 +0100 Subject: [PATCH 2/3] fix: add RELEASE_TOKEN preflight check and remove unused env var Address review feedback: - Fail fast with a clear error if RELEASE_TOKEN secret is not configured - Remove unused GITHUB_TOKEN env var from tag push step (git push already uses credentials from actions/checkout with persist-credentials) Co-Authored-By: Claude Opus 4.6 --- .github/workflows/auto-tag.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index 285657e..0d40588 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -10,6 +10,12 @@ jobs: tag: runs-on: ubuntu-latest steps: + - name: Verify RELEASE_TOKEN is configured + run: | + if [ -z "${{ secrets.RELEASE_TOKEN }}" ]; then + echo "::error::RELEASE_TOKEN secret is not configured. Tags pushed with the default GITHUB_TOKEN cannot trigger the Release workflow." + exit 1 + fi - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -52,5 +58,3 @@ jobs: echo "Failed to push tag $TAG" exit 1 fi - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} From 0b209d29a2dc2a61b7fb064ecf0c23632294af9c Mon Sep 17 00:00:00 2001 From: mikkeldamsgaard Date: Thu, 12 Mar 2026 14:22:41 +0100 Subject: [PATCH 3/3] release: v1.3.1 Co-Authored-By: Claude Opus 4.6 --- Cargo.lock | 2 +- Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index dbb6c8a..23a52f6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -989,7 +989,7 @@ dependencies = [ [[package]] name = "initium" -version = "1.3.0" +version = "1.3.1" dependencies = [ "base64 0.22.1", "clap", diff --git a/Cargo.toml b/Cargo.toml index 6926259..75799f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "initium" -version = "1.3.0" +version = "1.3.1" edition = "2021" rust-version = "1.88" authors = ["Kitstream "]