From 8febd3eb05cec9be1b728573f86de67dbe5ec1aa Mon Sep 17 00:00:00 2001 From: Jonathan Putney Date: Wed, 20 May 2026 13:52:51 -0400 Subject: [PATCH] ci(release): push via RELEASE_TOKEN PAT instead of deploy-key SSH The v0.4.0 release attempt failed because maven-release-plugin's direct push to main was rejected by the new main-protection ruleset: remote: error: GH006: Protected branch update failed for refs/heads/main. remote: - 8 of 8 required status checks are expected. Deploy keys can't be bypass actors on a ruleset (only Users, Apps, Teams, or RepositoryRoles can). Switch to a fine-grained PAT owned by the repo admin, whose Admin role IS a bypass actor on main-protection. Changes: - actions/checkout uses token: RELEASE_TOKEN, which configures an http.extraheader so all subsequent github.com pushes authenticate as the PAT owner. - Drop the webfactory/ssh-agent step (no more SSH push). - Override developerConnection to HTTPS in release:prepare so maven- release-plugin pushes over HTTPS and picks up that extraheader. (pom's developerConnection stays SSH for local-dev convenience.) - Pull github.repository into a REPO env var per workflow security guidance (no longer interpolating ${{ }} directly in run: blocks). MAVEN_RELEASE_SSH_KEY secret and the deploy key are now unused; can be removed in a follow-up after one or two successful releases confirm the PAT path. --- .github/workflows/release.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 41662b2..3ab5600 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -83,13 +83,17 @@ jobs: attestations: write runs-on: ubuntu-latest steps: + # Checkout with RELEASE_TOKEN (fine-grained PAT owned by repo admin, + # Contents+Workflows R/W on this repo only). actions/checkout configures + # an http.extraheader so subsequent git pushes authenticate as the PAT + # owner. The owner has the Admin role, which is a bypass actor on the + # "main-protection" ruleset — so release:prepare can push the + # `prepare release` and `prepare for next development iteration` commits + # without satisfying the 8 required status checks first. - uses: actions/checkout@v6 with: fetch-depth: 0 - - - uses: webfactory/ssh-agent@v0.10.0 - with: - ssh-private-key: ${{ secrets.MAVEN_RELEASE_SSH_KEY }} + token: ${{ secrets.RELEASE_TOKEN }} - uses: actions/setup-java@v5 with: @@ -109,17 +113,24 @@ jobs: run: | git config --global user.name "github-actions[bot]" git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - mvn -B -ntp -Dstyle.color=always release:prepare -P sign + # pom.xml's developerConnection still points at the SSH URL for + # local-dev convenience. CI doesn't have an SSH key any more — it + # auths via the http.extraheader actions/checkout set up — so + # override developerConnection to HTTPS so maven-release-plugin + # pushes over HTTPS and picks up the PAT credential. + mvn -B -ntp -Dstyle.color=always release:prepare -P sign \ + -DdeveloperConnection=scm:git:https://github.com/${REPO}.git cat release.properties RELEASE_TAG=$(grep '^scm.tag=' release.properties | cut -d'=' -f2) echo "RELEASE_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV" mvn -B -ntp -Dstyle.color=always release:perform -P sign \ - -DconnectionUrl=scm:git:https://github.com/${{ github.repository }}.git + -DconnectionUrl=scm:git:https://github.com/${REPO}.git echo "Released ${RELEASE_TAG} 🚀" >> "$GITHUB_STEP_SUMMARY" env: OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} + REPO: ${{ github.repository }} # release:perform checks the tagged code into target/checkout/ and runs # the central+sign profiles (see in pom.xml). The