fix(ci): add persist-credentials: false to release checkout

[orionmiz]

Summary

• Add persist-credentials: false to the actions/checkout step in the release workflow

Problem

The Version Packages PR created by the Changesets action does not trigger CI. Manually closing and reopening the PR is required as a workaround.

Root cause: actions/checkout@v4 persists github.token as an Authorization header in git's http.extraheader config. When the Changesets action later force-pushes the release branch, git uses this header (highest priority) instead of the PAT written to ~/.netrc. Since github.token is used for the push, GitHub's anti-loop policy prevents workflow triggers.

Authentication priority:

Priority	Method	Description
1	http.extraheader	HTTP header set in git config by actions/checkout
2	credential helper	External program registered via credential.helper
3	.netrc	PAT written by Changesets action

Fix

Setting persist-credentials: false prevents actions/checkout from persisting the github.token header. The Changesets action's PAT (via .netrc) is then used for the force push, which triggers CI as expected.

Test plan

• Merge a changeset to main and verify the Version Packages PR has CI checks running without manual close/reopen

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4c513d2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated release workflow credentials configuration to enhance security handling during the build process.

Walkthrough

Updated the GitHub Actions release workflow to set persist-credentials: false in the checkout step, preventing GitHub-provided credentials from being stored for subsequent workflow steps.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/release.yml	Modified actions/checkout@v4 step to set persist-credentials: false, controlling credential persistence behavior during checkout.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding persist-credentials: false to the release checkout step.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about the problem, root cause, and solution.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch edward_karrot/fix-release-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	stackflow-docs	4c513d2	Commit Preview URL	Mar 31 2026, 07:23 AM

[cloudflare-workers-and-pages]

Deploying stackflow-demo with    Cloudflare Pages

Latest commit:	4c513d2
Status:	✅  Deploy successful!
Preview URL:	https://8f124c39.stackflow-demo.pages.dev
Branch Preview URL:	https://edward-karrot-fix-release-ci.stackflow-demo.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 23: The pull_request path sets persist-credentials: false which prevents
git auth for the script step that runs scripts/publish-preview-packages.sh
(which calls git fetch, git show-ref, git diff); update the checkout/script step
to explicitly provide credentials by adding GITHUB_TOKEN: ${{
secrets.DAANGNBOT_PAT }} (or another appropriate token) to the environment for
the step that invokes scripts/publish-preview-packages.sh, or split into
separate jobs so the checkout for the script run uses persist-credentials: true
while keeping other paths unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: de2dd51d-2b97-4062-a829-63fdb3bbab53

📥 Commits

Reviewing files that changed from the base of the PR and between c526553 and 4c513d2.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check repository visibility
echo "=== Repository Visibility ==="
gh repo view daangn/stackflow --json visibility --jq '.visibility'

echo -e "\n=== Checking recent workflow runs for pull_request events ==="
gh run list --workflow=release.yml --event=pull_request --limit 5 --json databaseId,conclusion,headBranch,event,createdAt --jq '.[] | "\(.databaseId) \(.event) \(.conclusion) \(.headBranch) \(.createdAt)"'

echo -e "\n=== Checking for failures in publish-preview-packages.sh step ==="
gh run list --workflow=release.yml --event=pull_request --limit 5 --json databaseId,conclusion | \
  jq -r '.[] | select(.conclusion != "success") | .databaseId' | \
  while read run_id; do
    echo "Checking run $run_id:"
    gh run view "$run_id" --log 2>/dev/null | grep -A5 "publish-preview-packages.sh" || echo "  (no relevant logs found)"
  done

Repository: daangn/stackflow

Length of output: 623

---

🏁 Script executed:

# First, let's examine the release.yml file completely
cat -n .github/workflows/release.yml

Repository: daangn/stackflow

Length of output: 3098

---

🏁 Script executed:

# Check if scripts/publish-preview-packages.sh exists and examine it
cat -n scripts/publish-preview-packages.sh

Repository: daangn/stackflow

Length of output: 2154

---

Provide explicit authentication credentials for the pull_request workflow path.

Setting persist-credentials: false correctly fixes the Changesets CI trigger issue for push events (line 71), but the pull_request workflow path (line 81-82) will fail because the script requires git authentication that is not provided.

The script scripts/publish-preview-packages.sh performs authenticated git operations:

• Line 11: git fetch origin
• Line 13: git show-ref --verify --quiet refs/remotes/origin/"$BASE_BRANCH"
• Line 21: git diff --name-only origin/"$BASE_BRANCH"...HEAD

With persist-credentials: false and no explicit GITHUB_TOKEN passed to the script, these operations will fail, particularly for private repositories. The Changesets action (line 77) explicitly provides GITHUB_TOKEN: ${{ secrets.DAANGNBOT_PAT }}, but the script step (line 82) receives no credentials.

Fix: Add GITHUB_TOKEN to the script step:

Recommended solution

      - name: Continuous release via pkg.pr.new
        if: github.event_name == 'pull_request'
        run: ./scripts/publish-preview-packages.sh ${{ github.event.pull_request.base.ref }}
+       env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Alternatively, split into separate jobs with different checkout configurations if you need more granular control over credentials per workflow path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 23, The pull_request path sets
persist-credentials: false which prevents git auth for the script step that runs
scripts/publish-preview-packages.sh (which calls git fetch, git show-ref, git
diff); update the checkout/script step to explicitly provide credentials by
adding GITHUB_TOKEN: ${{ secrets.DAANGNBOT_PAT }} (or another appropriate token)
to the environment for the step that invokes
scripts/publish-preview-packages.sh, or split into separate jobs so the checkout
for the script run uses persist-credentials: true while keeping other paths
unchanged.