fix(release): support optional PAT for release-please PR creation#24
Conversation
Root cause of all-repo Release Please failures: the default GITHUB_TOKEN cannot create pull requests when a repository's Settings > Actions > General > Workflow permissions > "Allow GitHub Actions to create and approve pull requests" toggle is disabled. release-please-action fails atomically with: ##[error]release-please failed: GitHub Actions is not permitted to create or approve pull requests. Because this happens inside the single manifest run, the already-merged release commit's tag/GitHub Release is never created either — hence 'gh release list' returning empty even after 'chore(main): release 1.0.0' PRs were merged. The repeated 'commit could not be parsed' messages for merge-commit and free-text subjects are pre-existing, non-fatal release-please warnings (excluded from the changelog by design) — not the cause of failure. Confirmed via API on autogen, .github, and cas-platform: can_approve_pull_request_reviews: false This adds an optional 'release-please-token' secret input to the reusable workflow, passed through to the action as 'token:', falling back to github.token when unset. This lets callers opt into a scoped PAT / GitHub App installation token (which is not subject to the Actions PR-creation restriction) without requiring the broader, org-wide 'Allow Actions to create/approve PRs' setting to be enabled. Backward compatible: no behavior change for existing pinned callers until they (a) repin to a commit that includes this fix and (b) pass a token via 'secrets: release-please-token' or 'secrets: inherit'.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Packet 1 is now complete on this PR branch. In addition to the reusable workflow token input, the branch now also wires the .github self-caller to pass |
Root cause
All 13 repos' "Release Please" workflow runs fail on the same fatal error, not the
"commit could not be parsed" lines (those are pre-existing, non-fatal warnings for
merge commits / free-text subjects — release-please skips them from the changelog by
design and continues normally).
The actual fatal error, confirmed by full
--log-failedreads onautogen,.github,and
cas-platform:This is not a workflow YAML permissions problem — the reusable workflow's job
already grants
contents: write,pull-requests: write,issues: write, and therun logs confirm the token was actually issued those scopes
(
GITHUB_TOKEN Permissions: Contents: write / PullRequests: write / ...).It is a repository-level Settings toggle: Settings → Actions → General →
Workflow permissions → "Allow GitHub Actions to create and approve pull requests".
Confirmed via the API on all three sampled repos:
can_approve_pull_request_reviews: falseblocks GITHUB_TOKEN-authenticated PRcreation regardless of the workflow's own
permissions:block.Why
gh release listis emptyrelease-please-actionruns both "create GitHub Release for the last merged releasePR" and "propose/update the next release PR" inside a single
Manifest.run()call.When the PR-creation call throws, the whole run aborts — so even after
chore(main): release 1.0.0PRs were merged, the tag and GitHub Release were nevercreated. Verified directly:
gh api repos/.../autogen/tags→[],gh api repos/.../autogen/releases→[].Non-fatal parse warnings
commit could not be parsed: ... Merge pull request #N from .../Add MIT LICENSE/Remove test fileetc. are expected — these commit subjects arenot Conventional Commits. release-please logs a warning and excludes them from the
changelog; it does not fail the run. No
bootstrap-sha/ commit-filtering configchange is needed — this is by-design behavior, confirmed by the run continuing past
every one of these warnings to the actual (unrelated) fatal PR-creation error.
Fix in this PR
Adds an optional
release-please-tokensecret input to the reusable workflow,passed to
googleapis/release-please-actionastoken:, falling back togithub.tokenwhen unset:A PAT / GitHub App installation token is not subject to the "Actions can
create/approve PRs" restriction, so this lets any caller opt in with a narrowly
scoped token instead of flipping the broader, org-wide/repo-wide setting (which
affects every workflow in the repo, not just release-please).
Backward compatible — no behavior change for existing pinned callers until they
both (a) repin to a commit that includes this fix, and (b) supply a token via
secrets: release-please-token: ...orsecrets: inherit.What this PR does NOT do (by design, per operator scope)
requests" setting — that is an administrative action outside this session's
authorization (denied by the local permission classifier when attempted as a
read-only capability check).
release-please-tokensecret — that requires the operatorto mint a PAT / GitHub App installation token with
contents:write+pull-requests:writeand store it as a repo or org Actions secret.reusable workflow by SHA (e.g.
autogen's caller pins64c1673088ff7802f1270a44f03bc4d7a10631f2), so this fix has no effect until eachcaller is repinned. Re-pinning is deferred pending the operator's choice between
the two remediation paths below, to avoid 13 speculative PRs before a token/setting
decision is made.
Remediation paths for the operator (pick one)
create and approve pull requests" on each of the 13 repos (or once at the org
level, if not overridden per-repo). Simplest, but broadens what every workflow in
the repo can do, not just release-please.
token scoped to
contents:write+pull-requests:write, store it asRELEASE_PLEASE_TOKEN(repo or org secret), then once this PR merges: repin eachcaller to the merge commit SHA and add
secrets: { release-please-token: \${{ secrets.RELEASE_PLEASE_TOKEN }} }(orsecrets: inheritif the secret is org-level and visible to the repo).Verification
python -c "import yaml; yaml.safe_load(open('.github/workflows/release-please-reusable.yml'))"→ YAML OKNot merging this myself — leaving for review per session authorization.