ci(release): push via RELEASE_TOKEN PAT instead of deploy-key SSH#15
Merged
Conversation
The v0.4.0 release attempt failed because maven-release-plugin's direct
push to main was rejected by the new main-protection ruleset:
remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: - 8 of 8 required status checks are expected.
Deploy keys can't be bypass actors on a ruleset (only Users, Apps, Teams,
or RepositoryRoles can). Switch to a fine-grained PAT owned by the repo
admin, whose Admin role IS a bypass actor on main-protection.
Changes:
- actions/checkout uses token: RELEASE_TOKEN, which configures an
http.extraheader so all subsequent github.com pushes authenticate as
the PAT owner.
- Drop the webfactory/ssh-agent step (no more SSH push).
- Override developerConnection to HTTPS in release:prepare so maven-
release-plugin pushes over HTTPS and picks up that extraheader. (pom's
developerConnection stays SSH for local-dev convenience.)
- Pull github.repository into a REPO env var per workflow security
guidance (no longer interpolating ${{ }} directly in run: blocks).
MAVEN_RELEASE_SSH_KEY secret and the deploy key are now unused; can be
removed in a follow-up after one or two successful releases confirm the
PAT path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The v0.4.0 release failed because maven-release-plugin's direct push to main was rejected by the new `main-protection` ruleset (8 required checks, strict). Deploy keys cannot be ruleset bypass actors. Switch to a fine-grained PAT (`RELEASE_TOKEN`) owned by the repo admin, whose Admin role IS in the ruleset's `bypass_actors`.
Changes
After this merges
Re-trigger `Release` workflow on main. Same expected pipeline as before:
preflight → 3-OS verify → release:prepare (now pushes via HTTPS+PAT, Admin bypasses ruleset) → release:perform (Maven Central) → SBOM collection → sigstore attestations → GitHub Release.
Follow-up (out of scope)