fix(ci): use intervene-ci PAT for semantic-release#99
Merged
pablofmena merged 1 commit intomasterfrom Apr 6, 2026
Merged
Conversation
GITHUB_TOKEN cannot push to protected branches regardless of push restriction settings. Switch back to CI_TOKEN (fine-grained PAT from intervene-ci, which is in the push restrictions) for semantic-release git and API operations. Keep GITHUB_TOKEN id-token:write for npm OIDC provenance. Made-with: Cursor
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Collaborator
|
🎉 This PR is included in version 5.0.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
Follow-up to #96 and #98. The
GITHUB_TOKENcannot push to protected branches — this is a GitHub platform limitation regardless of push restriction settings. Switches back toCI_TOKEN(a fine-grained PAT fromintervene-ci, which is in themasterpush restrictions) for semantic-release operations.Implementation
GH_TOKENset toCI_TOKENsecret — used by semantic-release for both GitHub API calls (@semantic-release/github) and git push (@semantic-release/git).persist-credentials: falserestored on checkout — preventsactions/checkoutfrom injectingGITHUB_TOKENgit credentials that would conflict with the PAT.id-token: writekept for npm OIDC provenance publishing.contents: writeandissues: writeremoved from workflow permissions — no longer needed since the PAT provides those scopes.CI_TOKENsecret is a fine-grained PAT fromintervene-ciscoped tosoundcloud/intervenewithcontents:write+issues:write.How To Test
Merge and wait for the next releasable commit on
master. The release workflow should complete the full cycle: analyze commits, update CHANGELOG, bump version, push to master, publish to npm, and create a GitHub Release.Made with Cursor