From 2641ff3d1aaacebe53b8788d5633332aae8585ed Mon Sep 17 00:00:00 2001 From: Alexander Bayandin Date: Tue, 12 Sep 2023 20:01:21 +0100 Subject: [PATCH] Use CI_ACCESS_TOKEN to create release PR (#5286) ## Problem If @github-actions creates release PR, the CI pipeline is not triggered (but we have `release-notify.yml` workflow that we expect to run on this event). I suspect this happened because @github-actions is not a repository member. Ref https://github.com/neondatabase/neon/pull/5283#issuecomment-1715209291 ## Summary of changes - Use `CI_ACCESS_TOKEN` to create a PR - Use `gh` instead of `thomaseizinger/create-pull-request` - Restrict permissions for GITHUB_TOKEN to `contents: write` only (required for `git push`) --- .github/workflows/release.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 17a43fe8c1..36af98f96e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,11 +7,14 @@ on: jobs: create_release_branch: - runs-on: [ubuntu-latest] + runs-on: [ ubuntu-latest ] + + permissions: + contents: write # for `git push` steps: - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: main @@ -26,9 +29,16 @@ jobs: run: git push origin releases/${{ steps.date.outputs.date }} - name: Create pull request into release - uses: thomaseizinger/create-pull-request@e3972219c86a56550fb70708d96800d8e24ba862 # 1.3.0 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - head: releases/${{ steps.date.outputs.date }} - base: release - title: Release ${{ steps.date.outputs.date }} + env: + GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }} + run: | + cat << EOF > body.md + ## Release ${{ steps.date.outputs.date }} + + **Please merge this PR using 'Create a merge commit'!** + EOF + + gh pr create --title "Release ${{ steps.date.outputs.date }}" \ + --body-file "body.md" \ + --head "releases/${{ steps.date.outputs.date }}" \ + --base "release"