From 2730a9d906eeb5761af29dd69e8d4ebbfca50491 Mon Sep 17 00:00:00 2001 From: Jorijn Schrijvershof Date: Mon, 5 Jan 2026 08:56:34 +0100 Subject: [PATCH] ci: use fine-grained PAT for release-please to trigger Docker builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GITHUB_TOKEN cannot trigger other workflows by design. Using a fine-grained PAT (RELEASE_PLEASE_TOKEN) scoped to this repo only allows releases to properly trigger the docker-publish workflow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/release-please.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 0882e85..a1eeba5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -5,6 +5,17 @@ on: branches: - main +# Note: We use a fine-grained PAT (RELEASE_PLEASE_TOKEN) instead of GITHUB_TOKEN +# because GITHUB_TOKEN cannot trigger other workflows (like docker-publish.yml). +# This is a GitHub security feature to prevent infinite workflow loops. +# +# The PAT requires these permissions (scoped to this repository only): +# - Contents: Read and write (for creating releases and pushing tags) +# - Pull requests: Read and write (for creating/updating release PRs) +# +# To rotate: Settings > Developer settings > Fine-grained tokens +# Recommended rotation: Every 90 days + permissions: contents: write pull-requests: write @@ -16,6 +27,6 @@ jobs: - name: Release Please uses: googleapis/release-please-action@v4 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} config-file: release-please-config.json manifest-file: .release-please-manifest.json