From 9d99a3810ac075bf677a1515aa0eee2249b7242a Mon Sep 17 00:00:00 2001
From: Volodymyr Vreshch <vreshch@gmail.com>
Date: Wed, 15 Apr 2026 21:53:09 +0200
Subject: [PATCH] fix(release): auth release push with RELEASE_PAT for
 auto-merge

GITHUB_TOKEN-authored pushes don't fire downstream workflows, so
pr-validation.yml never runs on the release PR and `gh pr merge --auto`
stays stuck at mergeStateStatus=CLEAN forever. Re-auth origin with an
org-scoped RELEASE_PAT before push + PR create. Falls back to
GITHUB_TOKEN so existing release runs keep working until the secret
is configured.
---
 .github/workflows/release-prepare.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml
index b5e6420..88c59ea 100644
--- a/.github/workflows/release-prepare.yml
+++ b/.github/workflows/release-prepare.yml
@@ -117,7 +117,7 @@ jobs:
         if: steps.check_pr.outputs.skip != 'true' && steps.check_commits.outputs.has_commits == 'true'
         id: create_pr
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }}
         run: |
           RELEASE_LABEL="${{ steps.bump.outputs.release_label }}"
           # Create a safe branch name from label (replace @ with - and , with -)
@@ -127,6 +127,11 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
+          # Re-auth origin so the push is authored by RELEASE_PAT, which fires
+          # downstream workflows. GITHUB_TOKEN pushes are suppressed by GitHub
+          # to prevent recursion, which stalls auto-merge on the release PR.
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
+
           git checkout -b "$BRANCH_NAME"
           git add -A
           git commit -m "$(cat <<'EOF'
@@ -172,7 +177,7 @@ jobs:
       - name: Auto-merge release PR
         if: steps.create_pr.outputs.pr_url && github.event.inputs.auto_merge == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.RELEASE_PAT || secrets.GITHUB_TOKEN }}
         run: |
           gh pr merge "${{ steps.create_pr.outputs.pr_url }}" --auto --squash