Skip to content

Commit 56e8cb1

Browse files
authored
ci(release): push via RELEASE_TOKEN PAT instead of deploy-key SSH (#15)
The v0.4.0 release attempt failed because maven-release-plugin's direct push to main was rejected by the new main-protection ruleset: remote: error: GH006: Protected branch update failed for refs/heads/main. remote: - 8 of 8 required status checks are expected. Deploy keys can't be bypass actors on a ruleset (only Users, Apps, Teams, or RepositoryRoles can). Switch to a fine-grained PAT owned by the repo admin, whose Admin role IS a bypass actor on main-protection. Changes: - actions/checkout uses token: RELEASE_TOKEN, which configures an http.extraheader so all subsequent github.com pushes authenticate as the PAT owner. - Drop the webfactory/ssh-agent step (no more SSH push). - Override developerConnection to HTTPS in release:prepare so maven- release-plugin pushes over HTTPS and picks up that extraheader. (pom's developerConnection stays SSH for local-dev convenience.) - Pull github.repository into a REPO env var per workflow security guidance (no longer interpolating ${{ }} directly in run: blocks). MAVEN_RELEASE_SSH_KEY secret and the deploy key are now unused; can be removed in a follow-up after one or two successful releases confirm the PAT path.
1 parent 55426c5 commit 56e8cb1

1 file changed

Lines changed: 17 additions & 6 deletions

File tree

.github/workflows/release.yml

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -83,13 +83,17 @@ jobs:
8383
attestations: write
8484
runs-on: ubuntu-latest
8585
steps:
86+
# Checkout with RELEASE_TOKEN (fine-grained PAT owned by repo admin,
87+
# Contents+Workflows R/W on this repo only). actions/checkout configures
88+
# an http.extraheader so subsequent git pushes authenticate as the PAT
89+
# owner. The owner has the Admin role, which is a bypass actor on the
90+
# "main-protection" ruleset — so release:prepare can push the
91+
# `prepare release` and `prepare for next development iteration` commits
92+
# without satisfying the 8 required status checks first.
8693
- uses: actions/checkout@v6
8794
with:
8895
fetch-depth: 0
89-
90-
- uses: webfactory/ssh-agent@v0.10.0
91-
with:
92-
ssh-private-key: ${{ secrets.MAVEN_RELEASE_SSH_KEY }}
96+
token: ${{ secrets.RELEASE_TOKEN }}
9397

9498
- uses: actions/setup-java@v5
9599
with:
@@ -109,17 +113,24 @@ jobs:
109113
run: |
110114
git config --global user.name "github-actions[bot]"
111115
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
112-
mvn -B -ntp -Dstyle.color=always release:prepare -P sign
116+
# pom.xml's developerConnection still points at the SSH URL for
117+
# local-dev convenience. CI doesn't have an SSH key any more — it
118+
# auths via the http.extraheader actions/checkout set up — so
119+
# override developerConnection to HTTPS so maven-release-plugin
120+
# pushes over HTTPS and picks up the PAT credential.
121+
mvn -B -ntp -Dstyle.color=always release:prepare -P sign \
122+
-DdeveloperConnection=scm:git:https://github.com/${REPO}.git
113123
cat release.properties
114124
RELEASE_TAG=$(grep '^scm.tag=' release.properties | cut -d'=' -f2)
115125
echo "RELEASE_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV"
116126
mvn -B -ntp -Dstyle.color=always release:perform -P sign \
117-
-DconnectionUrl=scm:git:https://github.com/${{ github.repository }}.git
127+
-DconnectionUrl=scm:git:https://github.com/${REPO}.git
118128
echo "Released ${RELEASE_TAG} 🚀" >> "$GITHUB_STEP_SUMMARY"
119129
env:
120130
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
121131
OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
122132
MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
133+
REPO: ${{ github.repository }}
123134

124135
# release:perform checks the tagged code into target/checkout/ and runs
125136
# the central+sign profiles (see <releaseProfiles> in pom.xml). The

0 commit comments

Comments
 (0)