Skip to content

fix(ci): add persist-credentials: false to release checkout #690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
orionmiz merged 1 commit into from
Mar 31, 2026
+1 −0
Merged

fix(ci): add persist-credentials: false to release checkout #690

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check repository visibility
echo "=== Repository Visibility ==="
gh repo view daangn/stackflow --json visibility --jq '.visibility'

echo -e "\n=== Checking recent workflow runs for pull_request events ==="
gh run list --workflow=release.yml --event=pull_request --limit 5 --json databaseId,conclusion,headBranch,event,createdAt --jq '.[] | "\(.databaseId) \(.event) \(.conclusion) \(.headBranch) \(.createdAt)"'

echo -e "\n=== Checking for failures in publish-preview-packages.sh step ==="
gh run list --workflow=release.yml --event=pull_request --limit 5 --json databaseId,conclusion | \
  jq -r '.[] | select(.conclusion != "success") | .databaseId' | \
  while read run_id; do
    echo "Checking run $run_id:"
    gh run view "$run_id" --log 2>/dev/null | grep -A5 "publish-preview-packages.sh" || echo "  (no relevant logs found)"
  done

Repository: daangn/stackflow

Length of output: 623

🏁 Script executed:

# First, let's examine the release.yml file completely
cat -n .github/workflows/release.yml

Repository: daangn/stackflow

Length of output: 3098

🏁 Script executed:

# Check if scripts/publish-preview-packages.sh exists and examine it
cat -n scripts/publish-preview-packages.sh

Repository: daangn/stackflow

Length of output: 2154

Provide explicit authentication credentials for the pull_request workflow path.

Setting persist-credentials: false correctly fixes the Changesets CI trigger issue for push events (line 71), but the pull_request workflow path (line 81-82) will fail because the script requires git authentication that is not provided.

The script scripts/publish-preview-packages.sh performs authenticated git operations:

  • Line 11: git fetch origin
  • Line 13: git show-ref --verify --quiet refs/remotes/origin/"$BASE_BRANCH"
  • Line 21: git diff --name-only origin/"$BASE_BRANCH"...HEAD

With persist-credentials: false and no explicit GITHUB_TOKEN passed to the script, these operations will fail, particularly for private repositories. The Changesets action (line 77) explicitly provides GITHUB_TOKEN: ${{ secrets.DAANGNBOT_PAT }}, but the script step (line 82) receives no credentials.

Fix: Add GITHUB_TOKEN to the script step:

Recommended solution 
      - name: Continuous release via pkg.pr.new
        if: github.event_name == 'pull_request'
        run: ./scripts/publish-preview-packages.sh ${{ github.event.pull_request.base.ref }}
+       env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Alternatively, split into separate jobs with different checkout configurations if you need more granular control over credentials per workflow path.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 23, The pull_request path sets
persist-credentials: false which prevents git auth for the script step that runs
scripts/publish-preview-packages.sh (which calls git fetch, git show-ref, git
diff); update the checkout/script step to explicitly provide credentials by
adding GITHUB_TOKEN: ${{ secrets.DAANGNBOT_PAT }} (or another appropriate token)
to the environment for the step that invokes
scripts/publish-preview-packages.sh, or split into separate jobs so the checkout
for the script run uses persist-credentials: true while keeping other paths
unchanged.


- uses: actions/setup-node@v4
with:
Expand Down
Loading