ci: route changelog push through BOT_TOKEN PAT#78
Merged
Conversation
GITHUB_TOKEN is blocked by the PRS-ONLY ruleset on master and the github-actions integration cannot be added as a bypass actor (must be installed at org level). Switch back to BOT_TOKEN, which belongs to a member of the bypass team and can push directly. Keep the post-#77 fixes: ref:master on checkout, push to master explicitly, no-op skip, and the concurrency group.
duzos
added
bug
github-actions
Bot
added
the
S: Untriaged
Contributor
There was a problem hiding this comment.
Pull request overview
Routes the “Update Changelog” GitHub Actions workflow back through a PAT-based BOT_TOKEN so the workflow can git push to master despite the “PRS ONLY” ruleset, restoring automated changelog backfill after merges.
Changes:
- Swaps
actions/checkoutand the changelog updater environment fromsecrets.GITHUB_TOKENtosecrets.BOT_TOKEN. - Removes the job-level
permissions:block (no longer relevant when not relying onGITHUB_TOKEN). - Pushes via an authenticated
https://x-access-token:${TOKEN}@github.com/...URL and restores thegithub-botgit identity.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
26
to
32
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: master | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| token: ${{ secrets.BOT_TOKEN }} | ||
|
|
Owner
Author
There was a problem hiding this comment.
Fixed in 2f93d02 — switched the trigger to pull_request_target. Verified: this runs in the base-repo context (so secrets are exposed for fork-PR merges), and since we already ref: master on checkout we never run code from the PR head, which keeps the usual pull_request_target risk closed off.
pull_request workflows do not receive secrets when triggered by a PR from a fork, even on the closed/merged event, so external contributions would silently skip changelog updates. switch to pull_request_target - safe here since we check out ref:master and never run code from the PR head.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
.github/workflows/append_changelog.yml:24
- The workflow trigger was switched to
pull_request_target, but the jobif:condition still checksgithub.event_name == 'pull_request'. For merged PRs this will now evaluate false (event name will bepull_request_target), so the job won’t run and the changelog won’t be updated. Update the condition to matchpull_request_target(and keep the merged check).
# only proceed if merge event or manual run
if: |
(github.event_name == 'pull_request' && github.event.pull_request.merged == true) ||
(github.event_name == 'workflow_dispatch')
trigger swap in 2f93d02 left the gate checking event_name=='pull_request', which never matches now and would skip the job on every merge. match the new event name.
Owner
Author
|
Caught the if-condition mismatch from the suppressed-confidence comment too — pushed 90b74a7 updating the gate to |
Comment on lines
26
to
45
| @@ -44,19 +41,21 @@ jobs: | |||
| - name: Run changelog updater | |||
| env: | |||
| GITHUB_REPOSITORY: ${{ github.repository }} | |||
| BOT_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |||
| BOT_TOKEN: ${{ secrets.BOT_TOKEN }} | |||
| GITHUB_EVENT_PATH: ${{ github.event_path }} | |||
Comment on lines
49
to
+61
| - name: Commit & push | ||
| env: | ||
| TOKEN: ${{ secrets.BOT_TOKEN }} | ||
| run: | | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git config user.name "github-bot" | ||
| git config user.email "bot@users.noreply.github.com" | ||
| git add CHANGELOG.md | ||
| if git diff --cached --quiet; then | ||
| echo "No changelog changes to commit." | ||
| exit 0 | ||
| fi | ||
| git commit -m "docs: update CHANGELOG" | ||
| git push origin HEAD:master No newline at end of file | ||
| git push https://x-access-token:${TOKEN}@github.com/${{ github.repository }} HEAD:master No newline at end of file |
Comment on lines
18
to
24
| jobs: | ||
| append-changelog: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: read | ||
| # only proceed if merge event or manual run | ||
| if: | | ||
| (github.event_name == 'pull_request' && github.event.pull_request.merged == true) || | ||
| (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true) || | ||
| (github.event_name == 'workflow_dispatch') |
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
About the PR
Follow-up to #77. The
GITHUB_TOKENswap landed but the post-merge dispatch then died atgit pushbecause thePRS ONLYruleset onmasterrequires a PR. The built-ingithub-actionsintegration cannot be added as a bypass actor for that ruleset (GitHub rejects with "must be part of the ruleset source or owner organization").BOT_TOKENhas been regenerated and belongs to a member of the existing bypass team, so it can push directly. This PR routes auth back throughBOT_TOKENwhile keeping every other fix from #77.Why / Balance
No gameplay impact - CI only. Restores the post-merge
Update Changelogworkflow to a working state so changelog backfill can proceed.Technical details
secrets.GITHUB_TOKEN->secrets.BOT_TOKENon theactions/checkoutstep, the updater env, and the push steppermissions:block - it only constrainedGITHUB_TOKENand we no longer use ithttps://x-access-token:${TOKEN}@github.com/...push URL patterngithub-botgit config identity (matches prior commit metadata; the actual pusher in the audit log is the PAT owner regardless)ref: masteron checkout, push to master explicitly, no-op skip when the diff is empty, and the workflow-levelconcurrencygroupMedia
N/A - CI only.
Requirements
Breaking changes
None.
Backfill plan (post-merge)
After this merges: