ci: use fine-grained PAT for release-please to trigger Docker builds

GITHUB_TOKEN cannot trigger other workflows by design. Using a fine-grained PAT (RELEASE_PLEASE_TOKEN) scoped to this repo only allows releases to properly trigger the docker-publish workflow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-28 17:42:55 +01:00 · 2026-01-05 08:56:34 +01:00
parent 5e5d63fca3
commit 2730a9d906
1 changed files with 12 additions and 1 deletions
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -5,6 +5,17 @@ on:
    branches:
      - main

+# Note: We use a fine-grained PAT (RELEASE_PLEASE_TOKEN) instead of GITHUB_TOKEN
+# because GITHUB_TOKEN cannot trigger other workflows (like docker-publish.yml).
+# This is a GitHub security feature to prevent infinite workflow loops.
+#
+# The PAT requires these permissions (scoped to this repository only):
+# - Contents: Read and write (for creating releases and pushing tags)
+# - Pull requests: Read and write (for creating/updating release PRs)
+#
+# To rotate: Settings > Developer settings > Fine-grained tokens
+# Recommended rotation: Every 90 days
+
 permissions:
  contents: write
  pull-requests: write
@@ -16,6 +27,6 @@ jobs:
      - name: Release Please
        uses: googleapis/release-please-action@v4
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}
          config-file: release-please-config.json
          manifest-file: .release-please-manifest.json