Skip to content

fix: restore auto-bump in release workflow #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rishitank merged 3 commits into from
Jan 5, 2026
Merged

fix: restore auto-bump in release workflow #5

rishitank merged 3 commits into from
Jan 5, 2026

Conversation

@rishitank
Copy link
Owner

@rishitank rishitank commented Jan 5, 2026
edited
Loading

Problem

The auto-bump logic fails because branch protection rules prevent workflows from pushing directly to main using the default GITHUB_TOKEN.

Solution

Use a Personal Access Token (PAT) stored as RELEASE_TOKEN secret. This token can bypass branch protection because it represents your user account, not the GitHub Actions bot.

One-time setup required:

  1. Create a Fine-Grained PAT:

  2. Add as repository secret:

How it works

After merging this PR and setting up RELEASE_TOKEN:

  1. Every merge to main triggers CI
  2. When CI passes, Release workflow runs
  3. If current version tag exists (e.g., v2.1.0), it auto-bumps to v2.1.1
  4. Commits the version bump using RELEASE_TOKEN (bypasses protection)
  5. Builds binaries and creates GitHub Release

Changes

  • Uses ${{ secrets.RELEASE_TOKEN || secrets.GITHUB_TOKEN }} for checkout and push
  • Falls back to GITHUB_TOKEN if RELEASE_TOKEN not set (will fail on protected branches)

@rishitank
fix: auto-bump patch version when tag exists in workflow_run trigger
3958928 
Previously, when the Release workflow was triggered by workflow_run (after CI
completes on main), it would skip the release if the current version tag already
existed. This required manual version bumps before each release.

Now, when triggered by workflow_run:
- If current version tag doesn't exist → release with current version
- If current version tag exists → auto-bump patch version, update Cargo.toml, then release

This makes releases fully automatic after merging PRs to main.
@rishitank
Merge branch 'main' of https://github.com/rishitank/context-engine
51496b7
@coderabbitai
Copy link

coderabbitai bot commented Jan 5, 2026
edited
Loading

Warning

Rate limit exceeded

@rishitank has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between dc9d0b8 and 8f78d7b.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

Walkthrough

The release workflow now prevents auto-bumping of patch versions when tags already exist, instead emitting notices and setting should_release to false. A RELEASE_TOKEN secret is now required for the bump-version path; GITHUB_TOKEN usage has been replaced with RELEASE_TOKEN for authentication in relevant steps.

Changes

Cohort / File(s) Summary
Release Workflow Token & Tag Handling
.github/workflows/release.yml		 Removed auto-patch-bump on existing tags; added RELEASE_TOKEN requirement gate with explicit error messages for missing token; replaced all GITHUB_TOKEN references with RELEASE_TOKEN in bump-version path (checkout, push, and environment variable passing).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

Poem

🐰 Tokens now guard the bumping gate,
Auto-patches meet their fate,
RELEASE_TOKEN holds the key,
Manual bumps shall come to be,
Safer releases, wild and free! 🎉

Pre-merge checks

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title directly addresses the main change: handling branch protection in the release workflow by reverting auto-bump logic and adding RELEASE_TOKEN requirements.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rishitank rishitank force-pushed the fix/release-workflow-v2 branch from dc9d0b8 to 9ec4732 Compare January 5, 2026 22:19
@rishitank rishitank changed the title fix: handle branch protection in release workflow fix: restore auto-bump in release workflow Jan 5, 2026
coderabbitai[bot]
coderabbitai bot reviewed Jan 5, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
.github/workflows/release.yml (2)

111-114: Incomplete guidance in notice messages.

The PR objectives mention three supported release methods, but the notices only list two. Additionally, the workflow_dispatch option requires RELEASE_TOKEN but this isn't clarified in the notice.

🔎 Suggested enhancement for completeness 
-              echo "::notice::Tag v$CURRENT_VERSION already exists. To create a new release, either:"
-              echo "::notice::  1. Bump the version in Cargo.toml before merging to main"
-              echo "::notice::  2. Use workflow_dispatch with bump_type to auto-bump and release"
+              echo "::notice::Tag v$CURRENT_VERSION already exists. To create a new release, choose one of:"
+              echo "::notice::  1. Bump the version in Cargo.toml before merging to main (recommended)"
+              echo "::notice::  2. Use workflow_dispatch with bump_type (requires RELEASE_TOKEN secret)"
+              echo "::notice::  3. Push a tag directly: git tag v2.2.0 && git push origin v2.2.0"
               echo "should_release=false" >> $GITHUB_OUTPUT

156-164: Remove redundant environment variable.

The GITHUB_TOKEN environment variable on line 164 is unnecessary because the checkout action on line 144-146 already configured git to use RELEASE_TOKEN for authentication. Git will automatically use that token for the push operation.

Additionally, setting an environment variable named GITHUB_TOKEN to the value of RELEASE_TOKEN is confusing.

🔎 Proposed cleanup 
       - name: Commit version bump
         run: |
           VERSION="${{ needs.check.outputs.version }}"
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git add Cargo.toml
           git commit -m "chore: bump version to $VERSION [skip ci]"
           git push
-        env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f5f7610 and dc9d0b8.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: build
🔇 Additional comments (3)
.github/workflows/release.yml (3)

128-129: LGTM! Clear documentation of token requirements.

The comments effectively explain the RELEASE_TOKEN requirement and provide context about bypass permissions for protected branches.

135-142: LGTM! Proper secret validation with clear error messages.

The check correctly validates that RELEASE_TOKEN is configured and provides actionable guidance if it's missing. The error messages clearly explain both the requirement and the alternatives.

146-146: LGTM! Correct token usage for protected branch access.

Using RELEASE_TOKEN for checkout is necessary to enable the subsequent git push to the protected main branch.

@rishitank
fix: use RELEASE_TOKEN for auto-bump in release workflow
8f78d7b 
Uses RELEASE_TOKEN (a PAT with Contents write permission) to bypass
branch protection when auto-bumping the version.

Setup required:
1. Create a Fine-Grained PAT at GitHub Settings → Developer Settings → Personal Access Tokens
2. Grant it 'Contents: Read and write' permission for this repo
3. Add it as a repository secret named RELEASE_TOKEN

The workflow falls back to GITHUB_TOKEN if RELEASE_TOKEN is not set,
which will fail on protected branches but work on unprotected ones.
@rishitank rishitank force-pushed the fix/release-workflow-v2 branch from 9ec4732 to 8f78d7b Compare January 5, 2026 22:22
@rishitank rishitank merged commit 33defd9 into main Jan 5, 2026
2 checks passed
@rishitank rishitank deleted the fix/release-workflow-v2 branch January 5, 2026 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rishitank