ci: fixup release permissions

2022-10-28 14:39:52 +02:00 · 2022-10-28 14:39:52 +02:00 · 8a79f61790
parent 420d7f1cea
commit 8a79f61790
2 changed files with 10 additions and 13 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,21 +18,13 @@ permissions:
  contents: write

 jobs:
-  # this job is just here as a fail-safe to make sure that the invoking user has the necessary permissions
-  # before we start the release process. This way we hopefully don't have to clean up incomplete release processes.
-  permission-check:
-    runs-on: ubuntu-latest
-    environment: deploy-release
-    steps:
-      - run: echo "ok"
-
  release:
-    needs: permission-check
+    environment: deploy-release
    runs-on: ubuntu-latest
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PUSH_TOKEN }}  # this token works to push to the protected main branch.
      - uses: actions/setup-node@v3
        with:
          node-version-file: .github/node-version.txt
@ -40,3 +32,5 @@ jobs:
        with:
          python-version-file: .github/python-version.txt
      - run: ./release/release.py ${{ inputs.version }} ${{ inputs.skip-branch-status-check }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # this token works with the GraphQL API
--- a/release/release.py
+++ b/release/release.py
@ -98,8 +98,11 @@ if __name__ == "__main__":
                    "--title", f"mitmproxy {version}",
                    "--notes-file", "release/github-release-notes.txt"], cwd=root, check=True)

-    print("➡️ Dispatching release workflow...")
-    subprocess.run(["gh", "workflow", "run", "main.yml", "--ref", version], cwd=root, check=True)
+    # We currently have to use a personal access token, which auto-triggers CI.
+    # The default GITHUB_TOKEN cannot push to protected branches,
+    # see https://github.com/community/community/discussions/13836.
+    # print("➡️ Dispatching release workflow...")
+    # subprocess.run(["gh", "workflow", "run", "main.yml", "--ref", version], cwd=root, check=True)

    print("")
    print("✅ CI is running now. Make sure to approve the deploy step: https://github.com/mitmproxy/mitmproxy/actions")