Make the release workflow run only from stefanhaller's fork

stefanhaller · stefanhaller · commit f735c6af1757 · 2025-07-06T12:08:25.000+02:00
As far as I can tell, this is the only way to make sure that releases show up as
created by me. Also, we totally don't want it to run in other people's forks
(although it would likely just have failed there, but still).

The restriction only applies to scheduled runs; manually triggering the action
is still possible from everywhere. There needs to be a personal access token
named LAZYGIT_RELEASE_PAT configured on the repo for this to work, though.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,6 +30,12 @@ jobs:
   check-and-release:
     runs-on: ubuntu-latest
     steps:
+      - name: Check for correct repository
+        if: ${{ github.event_name != 'workflow_dispatch' && github.repository != 'stefanhaller/lazygit' }}
+        run: |
+          echo "Should only run in the stefanhaller/lazygit repository"
+          exit 1
+
       - name: Check for first Saturday of the month
         if: ${{ github.event_name != 'workflow_dispatch' }}
         run: |
@@ -41,6 +47,8 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
         with:
+          repository: jesseduffield/lazygit
+          token: ${{ secrets.LAZYGIT_RELEASE_PAT }}
           fetch-depth: 0
 
       - name: Get Latest Tag
@@ -89,7 +97,7 @@ jobs:
             exit 1
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.LAZYGIT_RELEASE_PAT }}
 
       - name: Calculate next version
         run: |
@@ -126,7 +134,7 @@ jobs:
           git tag ${{ env.new_tag }}
           git push origin ${{ env.new_tag }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_API_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.LAZYGIT_RELEASE_PAT }}
 
       - name: Setup Go
         uses: actions/setup-go@v5
@@ -140,11 +148,11 @@ jobs:
           version: v2
           args: release --clean
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_API_TOKEN}}
+          GITHUB_TOKEN: ${{secrets.LAZYGIT_RELEASE_PAT}}
 
       - name: Bump Homebrew formula
         uses: dawidd6/action-homebrew-bump-formula@v3
         with:
-          token: ${{secrets.GITHUB_API_TOKEN}}
+          token: ${{secrets.LAZYGIT_RELEASE_PAT}}
           formula: lazygit
           tag: ${{env.new_tag}}
