morgane/EverShelf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

ci: fix auto-merge — clear checkout extraheader so WORKFLOW_PAT actually reaches git push

Browse Source
This commit is contained in:
dadaloop82
2026-05-23 09:35:53 +00:00
parent 6857c20893
commit 561c6e9809
1 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+29 -6
View File
@@ -113,12 +113,15 @@ jobs:
- name: Merge develop → main - name: Merge develop → main
run: | run: |
# WORKFLOW_PAT (classic PAT with repo+workflow scopes) is required to # ── ROOT CAUSE FIX ──────────────────────────────────────────────────
# push commits that touch .github/workflows/ files. # actions/checkout writes an http.extraheader (AUTHORIZATION: basic …)
# Falls back to GITHUB_TOKEN for non-workflow pushes. # that silently overrides any credentials embedded in git remote URLs.
PUSH_TOKEN="${{ secrets.WORKFLOW_PAT }}" # We must clear it BEFORE setting the remote URL with WORKFLOW_PAT,
if [ -z "$PUSH_TOKEN" ]; then PUSH_TOKEN="${{ github.token }}"; fi # otherwise GITHUB_TOKEN is always used for the push and workflow-file
git remote set-url origin "https://x-access-token:${PUSH_TOKEN}@github.com/${{ github.repository }}.git" # changes are rejected.
# ────────────────────────────────────────────────────────────────────
git config --local --unset-all http."https://github.com/".extraheader 2>/dev/null || true
LAST=$(git log --oneline -1 origin/develop) LAST=$(git log --oneline -1 origin/develop)
git checkout main git checkout main
git pull --ff-only origin main git pull --ff-only origin main
@@ -126,6 +129,26 @@ jobs:
-m "chore: auto-merge develop → main -m "chore: auto-merge develop → main
Triggered by: $LAST" Triggered by: $LAST"
# ── PUSH STRATEGY ───────────────────────────────────────────────────
# Priority 1: WORKFLOW_PAT (classic PAT, repo+workflow scopes)
# → can push workflow file changes; set as a repo secret.
# Priority 2: GITHUB_TOKEN fallback
# → cannot push workflow files; strip them from the merge commit.
# ────────────────────────────────────────────────────────────────────
PUSH_TOKEN="${{ secrets.WORKFLOW_PAT }}"
if [ -z "$PUSH_TOKEN" ]; then
WF=$(git diff --name-only origin/main -- .github/workflows/ 2>/dev/null || echo "")
if [ -n "$WF" ]; then
echo "::warning::WORKFLOW_PAT not set — stripping workflow changes from merge commit:"
echo "$WF"
git checkout origin/main -- .github/workflows/
git diff --cached --quiet || git commit --amend --no-edit
fi
PUSH_TOKEN="${{ github.token }}"
fi
git remote set-url origin "https://x-access-token:${PUSH_TOKEN}@github.com/${{ github.repository }}.git"
git push origin main git push origin main
# ── Auto-create GitHub Release on main ─────────────────────────────────── # ── Auto-create GitHub Release on main ───────────────────────────────────