Skip to content

Support custom token for triggering CI on version PRs#12

Merged
theoephraim merged 14 commits into
mainfrom
fix/version-pr-ci-triggers
Apr 15, 2026
Merged

Support custom token for triggering CI on version PRs#12
theoephraim merged 14 commits into
mainfrom
fix/version-pr-ci-triggers

Conversation

@theoephraim

@theoephraim theoephraim commented Apr 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Add BUMPY_GH_TOKEN env var — when set, bumpy pushes the version branch using the custom token, bypassing GitHub's anti-recursion guard so PR workflows fire automatically
  • Add bumpy ci setup interactive command that walks users through creating a fine-grained PAT or GitHub App and stores it as a repo secret via gh secret set
  • BUMPY_GH_TOKEN is only used for the git push — PR comments and other gh CLI calls continue using the default GITHUB_TOKEN so they appear as the Actions bot
  • Temporarily clears the actions/checkout extraheader during push so the custom token is actually used (no persist-credentials: false needed)
  • Only warns about missing token on GitHub Actions — other CI providers don't have this limitation

Test plan

  • Run bumpy ci setup locally, verify PAT flow works end-to-end
  • Set BUMPY_GH_TOKEN secret, merge a changeset, verify version PR triggers CI checks
  • Verify PR comments still appear as GitHub Actions bot (not the PAT user)
  • Test without BUMPY_GH_TOKEN set — verify warning is logged

🤖 Generated with Claude Code

theoephraim and others added 12 commits April 15, 2026 10:58
@theoephraim @claude
Add BUMPY_GH_TOKEN support and ci setup command
4c16a33 
Replace the non-working API commit reroute with a token-aware push
that temporarily swaps the remote URL to use a custom PAT/App token.
Add interactive `bumpy ci setup` command that walks users through
creating a fine-grained PAT or GitHub App and storing the secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Only use BUMPY_GH_TOKEN for git push, not gh CLI calls
82453b7 
Keep PR comments and other gh CLI operations using the default
GH_TOKEN (GitHub Actions bot) so they aren't attributed to the
PAT owner. Users can opt in by setting GH_TOKEN directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Clear checkout extraheader before pushing with custom token
4d63233 
actions/checkout sets http.extraheader with the default GITHUB_TOKEN,
which takes precedence over URL-embedded credentials. Temporarily
unset it during the push so BUMPY_GH_TOKEN is actually used, then
restore it afterward. This avoids requiring persist-credentials: false.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Make PAT the recommended option in ci setup
2527736 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Tweak GitHub App hint text in ci setup
be05db2 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Add resource owner and expiration steps to PAT setup instructions
b545866 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Remove redundant GH_TOKEN from workflow snippets and release config
0326c72 
gh CLI auto-detects GITHUB_TOKEN in GitHub Actions, so explicitly
setting GH_TOKEN is unnecessary. Users only need BUMPY_GH_TOKEN.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Highlight new lines in green, dim existing lines in workflow snippets
9b9c5c7 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Use detected package manager in ci setup workflow snippets
38227b4 
Detect bun/pnpm/yarn/npm and show the appropriate run command
in workflow examples instead of hardcoding bunx.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Add branch protection tip to PAT setup instructions
08916b6 
Remind users to enable branch protection on main so the PAT
can only be used to push the version branch, not write directly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Detect existing secret and adjust messaging when replacing
88a9dc5 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Improve non-GitHub handling in ci setup and push
cf85d52 
Clarify that ci setup only supports GitHub-hosted repos. Only show
the BUMPY_GH_TOKEN warning when running on GitHub Actions, since
other CI providers don't have the same anti-recursion limitation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Apr 15, 2026
edited
Loading

Copy link
Copy Markdown

bumpy-frog

The changes in this PR will be included in the next version bump.

patch Patch releases

  • @varlock/bumpy 0.0.1 → 0.0.2

Changesets in this PR

Click here if you want to add another changeset to this PR

This comment is maintained by bumpy.

theoephraim and others added 2 commits April 15, 2026 13:56
@theoephraim @claude
Change bump type to patch
570627e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Remove made-up docs URL from warning message
05a2223 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim theoephraim merged commit 7729476 into main Apr 15, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim