1+
12name : Auto Publish to NPM
23
4+ # This workflow requires two secrets to be configured in the repository:
5+ #
6+ # 1. NPM_TOKEN: An NPM automation token for publishing packages
7+ # - Go to npmjs.com → Profile → Access Tokens → Generate New Token
8+ # - Select "Automation" type (bypasses 2FA)
9+ # - Ensure it has publish permissions for your package
10+ #
11+ # 2. RELEASE_TOKEN: A GitHub Personal Access Token for bypassing branch protection
12+ # - Go to github.com → Settings → Developer settings → Personal access tokens
13+ # - Generate a "Classic" token with these permissions:
14+ # - repo (Full control of private repositories)
15+ # - workflow (Update GitHub Action workflows)
16+ # - OR use Fine-grained PAT with "Contents: write" and "Pull requests: write"
17+ # - If main branch is protected, ensure the token can bypass pull request requirements
18+
319on :
420 pull_request :
521 types : [closed]
2339 uses : actions/checkout@v4
2440 with :
2541 fetch-depth : 0
26- token : ${{ secrets.GITHUB_TOKEN }}
42+ token : ${{ secrets.RELEASE_TOKEN || secrets. GITHUB_TOKEN }}
2743
2844 - name : Setup Yarn and generate lockfile
2945 run : |
@@ -130,9 +146,19 @@ jobs:
130146name : Configure Git
131147 if : steps.validate-branch.outputs.should_publish == 'true'
132148 run : |
149+ # Configure git with release token for branch protection bypass
133150 git config --local user.email "[email protected] " 134151 git config --local user.name "Kubit Release Bot"
135152
153+ # Set up authentication for push operations
154+ if [ -n "${{ secrets.RELEASE_TOKEN }}" ]; thenn
155+ echo "🔐 Using RELEASE_TOKEN with branch protection bypass permissions"
156+ git remote set-url origin https://x-access-token:${{ secrets.RELEASE_TOKEN }}@github.com/${{ github.repository }}.git
157+ else
158+ echo "⚠️ Using default GITHUB_TOKEN - may fail on protected branches"
159+ echo "💡 Add RELEASE_TOKEN secret with 'Contents: write' and 'Pull requests: write' permissions"
160+ fi
161+
136162name : Determine version bump (Enhanced)
137163 if : steps.validate-branch.outputs.should_publish == 'true'
138164 id : version-bump
@@ -254,7 +280,6 @@ jobs:
254280 if : steps.validate-branch.outputs.should_publish == 'true'
255281 run : |
256282 echo "🔍 Performing dry run..."
257- echo "ℹ️ Using NPM automation token (bypasses 2FA)"
258283 npm publish --dry-run --access public
259284env :
260285 NODE_AUTH_TOKEN : ${{ secrets.NPM_TOKEN }}
@@ -267,7 +292,6 @@ jobs:
267292 VERSION_TYPE="${{ steps.version-bump.outputs.version_type }}"
268293
269294 echo "📦 Publishing to NPM..."
270- echo "🔐 Using NPM automation token (bypasses 2FA)"
271295
272296 if [[ "$VERSION_TYPE" == "major" ]]; then
273297 echo "⚠️ Publishing MAJOR version $NEW_VERSION"
@@ -285,9 +309,22 @@ jobs:
285309 if : steps.npm-publish.outputs.published == 'true'
286310 run : |
287311 echo "📤 Pushing changes to repository..."
288- git push origin main
289- git push origin --tags
290- echo "✅ Changes pushed successfully"
312+
313+ if [ -n "${{ secrets.RELEASE_TOKEN }}" ]; then
314+ echo "🔐 Using RELEASE_TOKEN to bypass branch protection"
315+ git push origin main
316+ git push origin --tags
317+ echo "✅ Changes and tags pushed successfully to main"
318+ else
319+ echo "⚠️ Using GITHUB_TOKEN - attempting push (may fail on protected branches)"
320+ if git push origin main && git push origin --tags; then
321+ echo "✅ Changes and tags pushed successfully"
322+ else
323+ echo "❌ Push failed - likely due to branch protection rules"
324+ echo "💡 Consider adding RELEASE_TOKEN secret with bypass permissions"
325+ exit 1
326+ fi
327+ fi
291328
292329name : Create GitHub Release
293330 if : steps.npm-publish.outputs.published == 'true'
@@ -378,22 +415,26 @@ jobs:
378415
379416 ### 🔧 Common Solutions
380417 - **NPM Token**: Verify NPM_TOKEN is valid and has publish permissions
381- - **Automation Token**: Ensure you're using an NPM automation token (bypasses 2FA)
382- - **Token Permissions**: Check that the token has publish permissions for this package
418+ - **Release Token**: Add RELEASE_TOKEN secret to bypass branch protection rules
419+ - **Token Permissions**: Check that tokens have correct permissions
383420 - **Version Conflict**: Check if version already exists in NPM
384421 - **Build Issues**: Ensure all tests pass locally and build completes successfully
385422
386- ### 🔐 NPM Token Requirements
387- 1. **Type**: Must be an "Automation" token from npmjs.com
388- 2. **Scope**: Should have access to publish the package
389- 3. **Permissions**: Must have publish permissions
390- 4. **Secret**: Should be stored as NPM_TOKEN in repository secrets
423+ ### 🔐 Required Secrets Configuration
424+ 1. **NPM_TOKEN**:
425+ - Type: "Automation" token from npmjs.com
426+ - Scope: Access to publish the package
427+
428+ 2. **RELEASE_TOKEN** (Required for protected branches):
429+ - Type: Personal Access Token with bypass permissions
430+ - Permissions: "Contents: write", "Pull requests: write"
431+ - Special: "Bypass pull request requirements" if needed
391432
392433 ### 📞 Next Steps
393- 1. Verify NPM_TOKEN is an automation token with correct permissions
394- 2. Check the error logs for specific authentication issues
395- 3. Create a new PR with the same changes
396- 4. Or use manual publish workflow if urgent `;
434+ 1. **NPM Issues**: Verify NPM_TOKEN is an automation token
435+ 2. **Branch Protection**: Add RELEASE_TOKEN secret with bypass permissions
436+ 3. **Logs**: Check error logs for specific authentication issues
437+ 4. **Manual Process**: Create a new PR if tokens can't be configured `;
397438
398439 await github.rest.issues.createComment({
399440 issue_number: context.issue.number,
0 commit comments