Skip to content

fix: update preflight #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bartzbeielstein merged 1 commit into from
Apr 1, 2026
Merged

fix: update preflight #57

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 23 additions & 14 deletions .github/workflows/release-preflight.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,34 +40,43 @@ jobs:
- name: Set up uv
uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0

- name: Verify SEMANTIC_RELEASE_TOKEN is configured
env:
RELEASE_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
run: |
set -euo pipefail
if [ -z "${RELEASE_TOKEN:-}" ]; then
echo "::error title=Missing secret::SEMANTIC_RELEASE_TOKEN is not set."
echo "::error::Create a fine-grained PAT (or classic PAT with 'repo' scope) and add it"
echo "::error::as a repository secret named SEMANTIC_RELEASE_TOKEN:"
echo "::error:: Settings → Secrets and variables → Actions → New repository secret"
echo "::error::The token needs Contents: Read and write on this repository."
echo "::error::github.token cannot be used here — org-level Actions permissions restrict it to read-only."
exit 1
fi

- name: Configure authenticated Git remote
env:
RELEASE_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN || github.token }}
RELEASE_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
run: |
git remote set-url origin https://x-access-token:${RELEASE_TOKEN}@github.com/${{ github.repository }}.git

- name: Preflight token and push checks
env:
RELEASE_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN || github.token }}
GH_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN || github.token }}
RELEASE_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
run: |
set -euo pipefail

if [ -z "${RELEASE_TOKEN:-}" ]; then
echo "::error::No release token available (SEMANTIC_RELEASE_TOKEN or github.token)."
exit 1
fi

echo "Checking authenticated read access to ${GITHUB_REPOSITORY}..."
git ls-remote --exit-code origin HEAD >/dev/null

echo "Checking push permission via GitHub API..."
push_perm=$(gh api "repos/${GITHUB_REPOSITORY}" --jq '.permissions.push' 2>/dev/null || echo "false")
if [ "${push_perm}" != "true" ]; then
echo "::error::Token does not have push permission to ${GITHUB_REPOSITORY}. Set SEMANTIC_RELEASE_TOKEN to a PAT with repo write access."
echo "Checking write access via dry-run push to unprotected ref..."
test_ref="refs/preflight/sr-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
if ! git push --dry-run origin "HEAD:${test_ref}" 2>&1; then
echo "::error::SEMANTIC_RELEASE_TOKEN exists but cannot push to ${GITHUB_REPOSITORY}."
echo "::error::Ensure the PAT has Contents: Read and write (fine-grained) or 'repo' scope (classic)."
echo "::error::For org repos, also verify the fine-grained PAT was approved in org settings."
exit 1
fi

echo "Checking tag push permission (same as push)... already verified above."

echo "Preflight passed: token and push permissions are sufficient for semantic-release."
Loading