Skip to content

fix(ci): use ACTIONS_PAT for main-release-marker push#18

Merged
FedeZara merged 2 commits into
mainfrom
FedeZara/release-marker-pat
May 20, 2026
Merged

fix(ci): use ACTIONS_PAT for main-release-marker push#18
FedeZara merged 2 commits into
mainfrom
FedeZara/release-marker-pat

Conversation

@FedeZara
Copy link
Copy Markdown
Contributor

@FedeZara FedeZara commented May 15, 2026
edited
Loading

Summary

Two fixes coupled into one PR to release ASAP. Both unblock the observability rollout end-to-end.

1. Use ACTIONS_PAT for the main-release-marker push

The release workflow's main-release-marker step tries git push origin main to land the chore(release): <action>/<version> ledger commit. That push is rejected by main's branch protection:

remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: - Changes must be made through a pull request.

Confirmed in run 25934187071. The release itself succeeded — only the ledger commit was dropped, exactly as designed for the "best-effort marker" semantics. But that means <action>/RELEASES.md never gets populated on main, defeating the whole point of having the ledger.

Mirror fern's release-software.yml pattern: pass an ACTIONS_PAT secret to actions/checkout so subsequent git push calls authenticate as a user/app with branch-protection bypass.

- name: Checkout main
  uses: actions/checkout@v4
  with:
    ref: main
    fetch-depth: 1
    token: ${{ secrets.ACTIONS_PAT || secrets.GITHUB_TOKEN }}

Falls back to GITHUB_TOKEN if ACTIONS_PAT isn't configured — preserves the current "best-effort with warning" behavior for anyone running the workflow without the PAT.

2. Inject Sentry debug IDs before upload-artifact

Stack frames in Sentry stayed minified despite source-map upload succeeding. The Sentry CLI log from the failing release confirms what's happening:

> Uploaded files to Sentry
> Upload type: artifact bundle
> Release: verify-token@v0.0.1-test

sentry-cli 2.x uploads as an artifact bundle, which Sentry matches against runtime stack frames via debug IDs — UUIDs embedded in both the JS (//# debugId=…) and the sourcemap ("debugId": …). The legacy filename + release-files fallback doesn't kick in for artifact bundles. Verified the published dist/verify-token bundle had //# sourceMappingURL=… but no debugId= pragma, and the sourcemap had sourcesContent + 942 source entries but debugId: <unset>.

Fix: run sentry-cli sourcemaps inject in the build job before upload-artifact. Both downstream jobs (sentry-release, publish-dist) download the same artifact, so:

  • sentry-release uploads the injected bundle to Sentry — debug ID embedded;
  • publish-dist commits the injected JS to dist/<action> — so the bundle consumers actually execute carries the same debug ID, and the Sentry SDK reports it in stack frames.

Doing inject only in sentry-release (inject: true on getsentry/action-release@v1) wouldn't fix this — that injects in its own workspace, but publish-dist downloads its own un-injected copy and pushes that to the dist branch. inject: false is set explicitly on sentry-release so it doesn't re-inject with fresh UUIDs.

Verified locally — sentry-cli sourcemaps inject adds matching 0e2441e4-9669-58ae-aaa8-bc853561d4c0 to both files on a fresh build.

Operator action required (unchanged from before)

To make the marker step actually push successfully:

  1. Generate a fine-grained PAT with Contents: read and write on fern-api/actions, on an account that's allowed to bypass branch protection on main.
  2. Add it as repo secret ACTIONS_PAT on fern-api/actions.

Without this, the marker step continues to log a warning and skip — release still completes, ledger entry just doesn't land (same as today).

Test plan

  • pnpm typecheck clean, actionlint clean
  • Local: sentry-cli sourcemaps inject against a fresh pnpm build of verify-token — JS gets a //# debugId=… pragma, .map gets a matching "debugId" field with the same UUID
  • After merge, dispatch release.yml for verify-token with v0.0.2-test, prerelease=true. Verify:
    • new Inject Sentry debug IDs step succeeds
    • Create Sentry release + upload sourcemaps still logs Upload type: artifact bundle
    • published bundle carries debug ID: git show verify-token/v0.0.2-test:dist/index.js | tail -2 | grep debugId
    • verify-token/RELEASES.md now actually appears on main with the new entry (ACTIONS_PAT fix)
  • Trigger federico-automations-tests in failure mode, confirm the resulting Sentry event has TypeScript-source stack frames, not minified JS.

Out of scope

The existing verify-token/v0.0.1-test release will keep showing minified frames — it was published without a debug ID. Cut a new prerelease (v0.0.2-test) to validate end-to-end. The old release can't be retroactively deobfuscated unless its bundle is re-uploaded with debug IDs, which isn't worth the effort for a smoke-test release.

@FedeZara FedeZara requested a review from Swimburger as a code owner May 15, 2026 18:34
@FedeZara FedeZara mentioned this pull request May 20, 2026
Closed
6 tasks
FedeZara and others added 2 commits May 20, 2026 18:19
@FedeZara
fix(ci): use ACTIONS_PAT for main-release-marker push
5e47907 
The main-release-marker job's `git push origin main` is rejected by
branch protection (GH006: protected branch update failed, "Changes
must be made through a pull request"). This means the per-action
`<action>/RELEASES.md` ledger entries never land on main, and the
`chore(release): <action>@<version>` markers we designed for searchable
release history on main are silently dropped each release.

Fix mirrors fern's release-software.yml pattern: pass an `ACTIONS_PAT`
to actions/checkout so subsequent git operations authenticate as a
user/app that's been added to main's branch-protection bypass
allowlist. Falls back to GITHUB_TOKEN when ACTIONS_PAT isn't set, so
the existing "best-effort with warning" behavior is preserved for
anyone running the workflow without the PAT configured.

Operator action required to make this actually work:
  1. Generate a fine-grained PAT (Contents: read and write on this repo)
     under a user account that has bypass access for main's protection
     rule. Same setup fern already uses.
  2. Add it as `ACTIONS_PAT` repo secret in fern-api/actions.

The release workflow itself is unchanged in behavior when ACTIONS_PAT
is missing — it still releases successfully and logs the marker-push
warning.

Documents ACTIONS_PAT in CONTRIBUTING.md alongside the other required
secrets.
@FedeZara @claude
fix(ci): inject Sentry debug IDs before upload-artifact
66ff598 
sentry-cli 2.x uploads as an artifact bundle, which Sentry matches via
debug IDs — not filename + release-files fallback. Bundle had no debug
ID, so the matcher had nothing to match on and stack frames stayed
minified.

Inject in the build job upstream of upload-artifact: both sentry-release
(uploads to Sentry) and publish-dist (commits to dist/<action>) consume
the same artifact, so the bundle Sentry knows about and the one
consumers actually execute share the same debug ID. Sets inject: false
on the sentry-release action so it doesn't re-inject with fresh UUIDs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@FedeZara FedeZara force-pushed the FedeZara/release-marker-pat branch from bf55466 to 66ff598 Compare May 20, 2026 16:20
@FedeZara FedeZara merged commit 8e8093b into main May 20, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Swimburger Swimburger Swimburger approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FedeZara @Swimburger