fix(ci): add persist-credentials: false to unblock PAT push#194
Merged
Conversation
The 'Create and push tag' step used the default GITHUB_TOKEN from actions/checkout, which lacks push permission. This caused a 403 error when the workflow_dispatch trigger attempted to create and push a tag. Use the PAT_TOKEN secret (already used for the changelog commit) to authenticate the tag push. Signed-off-by: Carlo van Driesten <carlo.van-driesten@bmw.de>
The checkout step's default GITHUB_TOKEN extraheader was overriding the PAT_TOKEN set via git remote set-url, causing 403 on tag push. Setting persist-credentials: false prevents the extraheader from being stored, allowing the explicit PAT_TOKEN URL to take effect. Signed-off-by: Carlo van Driesten <carlo.van-driesten@bmw.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The release workflow fails at the "Create and push tag" step with:
Root Cause
Commit 4bc1423 removed
token: ${{ secrets.PAT_TOKEN }}from theactions/checkout@v4step to prevent a workflow trigger loop. However, the checkout still stores anhttp.extraheadergit config with the defaultGITHUB_TOKEN. This extraheader overrides the PAT credentials set later viagit remote set-url, so pushes still use the unprivileged token.Fix
Add
persist-credentials: falseto the checkout step. This prevents the default token's extraheader from being stored, allowing the explicitgit remote set-urlwithPAT_TOKENto take effect for tag and changelog pushes.Testing
yarn lint:ci✅ (no source changes)persist-credentials: falsedisables extraheader storage