Skip to content

Commit 7545168

Browse files
Copilotdevakesu
andauthored
Use PAT in auto-tag-release to enable Release workflow triggering (#355)
* Initial plan * Update auto-tag-release job to use PAT for triggering release workflow - Remove unused actions:write permission - Add RELEASE_TOKEN to checkout step to enable workflow triggering - Add explanatory comments about PAT requirement Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com> * Add detailed documentation for RELEASE_TOKEN requirements - Document required PAT permissions (Contents: Read and write) - Add setup instructions directly in workflow file - Reference official GitHub PAT creation URL Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com> * docs: Add RELEASE_TOKEN documentation to all relevant files - Update .example.env with RELEASE_TOKEN setup instructions - Add Prerequisites section in RELEASING.md for PAT configuration - Add troubleshooting section for release workflow issues - Update README.md production checklist - Include setup steps, required permissions, and security checklist Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com> * docs: Improve security guidance and clarify placeholders - Reduce recommended PAT expiration from 1 year to 90 days-6 months - Add token rotation guidance for better security practices - Clarify OWNER/REPO placeholder in .example.env Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com> * docs: Refine guidance for clarity and decision-making - Clarify OWNER/REPO placeholder replacement with example - Provide specific expiration guidance (90 days vs 6 months trade-off) Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>
1 parent f60f46b commit 7545168

File tree

4 files changed

+59
-2
lines changed

4 files changed

+59
-2
lines changed

.example.env

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,16 @@ IMAGE_NAME=ghostclass
327327
SOURCE_DATE_EPOCH=1767225600
328328
APP_COMMIT_SHA=<auto-generated-by-github-actions>
329329
#
330+
# Release Automation:
331+
# RELEASE_TOKEN=<personal-access-token>
332+
# - Fine-Grained Personal Access Token for auto-tag-release workflow
333+
# - Required to trigger the Release workflow when version tags are pushed
334+
# - Create at: https://github.com/settings/tokens?type=beta
335+
# - Required permissions: Contents - Read and write
336+
# - Repository access: Only select repositories (select this repo)
337+
# - Add as repository secret at: https://github.com/OWNER/REPO/settings/secrets/actions
338+
# (Replace entire 'OWNER/REPO' with your values, e.g., 'yourname/ghostclass')
339+
#
330340
# Sentry (same as above):
331341
# SENTRY_ORG=devakesu
332342
# SENTRY_PROJECT=ghostclass
@@ -396,6 +406,10 @@ COOLIFY_API_TOKEN=<your-api-token>
396406
# 8. Set up GitHub Secrets (for CI/CD):
397407
# - Go to your repository > Settings > Secrets and variables > Actions
398408
# - Add all the secrets listed in the "GITHUB SECRETS CONFIGURATION" section
409+
# - IMPORTANT: Add RELEASE_TOKEN (Personal Access Token) for auto-tag-release:
410+
# * Create at: https://github.com/settings/tokens?type=beta
411+
# * Required permissions: Contents - Read and write
412+
# * Add as repository secret named: RELEASE_TOKEN
399413
#
400414
# ============================================================================
401415
# SECURITY CHECKLIST
@@ -407,5 +421,6 @@ COOLIFY_API_TOKEN=<your-api-token>
407421
# ✅ All secrets are stored in environment variables (not hardcoded)
408422
# ✅ Production secrets are different from development secrets
409423
# ✅ GitHub Secrets are configured for CI/CD pipeline
424+
# ✅ RELEASE_TOKEN (PAT) is configured for auto-tag-release workflow
410425
# ✅ Derived variables (URLs, emails) are constructed automatically
411426
# ============================================================================

.github/workflows/pipeline.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -231,12 +231,16 @@ jobs:
231231
runs-on: ubuntu-latest
232232
permissions:
233233
contents: write
234-
actions: write
235234
steps:
236235
- name: Checkout
237236
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
238237
with:
239238
fetch-depth: 0
239+
# Use PAT instead of GITHUB_TOKEN to allow triggering the Release workflow
240+
# Required permissions: Contents - Read and write
241+
# Setup: Create Fine-Grained PAT at https://github.com/settings/tokens?type=beta
242+
# and add as repository secret named RELEASE_TOKEN
243+
token: ${{ secrets.RELEASE_TOKEN }}
240244

241245
- name: Setup Node.js
242246
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -316,7 +320,8 @@ jobs:
316320
exit 1
317321
fi
318322
319-
# Push tag with error handling
323+
# Push tag with PAT (this will trigger the release workflow)
324+
# Note: Using GITHUB_TOKEN would NOT trigger the release workflow
320325
if ! git push origin "${VERSION_TAG}"; then
321326
echo "ERROR: Failed to push tag ${VERSION_TAG}"
322327
echo "The tag was created locally but not pushed to remote"

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -573,6 +573,7 @@ docker run -p 3000:3000 --env-file .env ghostclass
573573
7. ✅ Enable HTTPS with valid SSL certificate
574574
8. ✅ Set up cron jobs for attendance sync
575575
9. ✅ Configure legal terms version and effective date
576+
10. ✅ Set up `RELEASE_TOKEN` secret for auto-release workflow (see [RELEASING.md](RELEASING.md))
576577

577578
<br />
578579

RELEASING.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,29 @@ We follow [Semantic Versioning 2.0.0](https://semver.org/):
5050

5151
There are three ways to create a release:
5252

53+
### Prerequisites
54+
55+
Before using the auto-tag-release feature, ensure the `RELEASE_TOKEN` secret is configured:
56+
57+
1. **Create a Fine-Grained Personal Access Token**:
58+
- Go to https://github.com/settings/tokens?type=beta
59+
- Click "Generate new token"
60+
- Token name: `GhostClass Release Automation` (or similar)
61+
- Expiration: Choose appropriate expiration (recommend 90 days for higher security, up to 6 months for convenience; set rotation reminders)
62+
- Repository access: "Only select repositories" → Select your repository
63+
- Permissions:
64+
- Repository permissions → **Contents: Read and write**
65+
- Click "Generate token" and copy the token value
66+
67+
2. **Add the token as a repository secret**:
68+
- Go to your repository's Settings > Secrets and variables > Actions
69+
- Click "New repository secret"
70+
- Name: `RELEASE_TOKEN`
71+
- Secret: Paste the PAT value
72+
- Click "Add secret"
73+
74+
**Note**: The `RELEASE_TOKEN` is required for the auto-tag-release workflow to trigger the Release workflow. Without it, version tags will be created but releases won't be automatically published.
75+
5376
### Automatic Release (On Version Bump)
5477

5578
**NEW**: When you update the version in `package.json` and push to the main branch, the CI/CD pipeline will automatically:
@@ -284,6 +307,19 @@ After creating a release:
284307

285308
## Troubleshooting
286309

310+
### Release workflow not triggered after tag push
311+
312+
**Check:**
313+
- Verify `RELEASE_TOKEN` secret is configured in repository settings
314+
- Ensure the token has `Contents: Read and write` permissions
315+
- Check that the token hasn't expired
316+
- Verify the token is added to the correct repository
317+
318+
If the tag was created but release workflow didn't trigger:
319+
1. The tag was likely pushed using `GITHUB_TOKEN` instead of `RELEASE_TOKEN`
320+
2. GitHub Actions workflows cannot trigger other workflows when using `GITHUB_TOKEN`
321+
3. Solution: Reconfigure `RELEASE_TOKEN` and re-push the tag (see Prerequisites section)
322+
287323
### Release workflow fails during build
288324

289325
**Check:**

0 commit comments

Comments
 (0)