Skip to content

Use non-Actions token for auto-merge so release.yml actually fires#53

Open
me-bender[bot] wants to merge 1 commit into
mainfrom
bender/fix-bump-pr-token
Open

Use non-Actions token for auto-merge so release.yml actually fires#53
me-bender[bot] wants to merge 1 commit into
mainfrom
bender/fix-bump-pr-token

Conversation

@me-bender

@me-bender me-bender Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

Problem

The auto-merge step in this workflow uses secrets.GITHUB_TOKEN. GitHub attributes the resulting push to github-actions[bot] and suppresses downstream workflow triggers for any event originating from GITHUB_TOKEN — so release.yml (on: push: branches: [main]) does not fire when this workflow auto-merges its bump PR.

This was the exact failure mode that hit lunar-2.2.1 (2026-05-27): PR #52 merged at 21:33Z, but chart-releaser never ran. The release had to be unblocked with a manual empty commit to main.

Fix

Swap the GH_TOKEN env from secrets.GITHUB_TOKEN to secrets.LUNAR_DIST_GITHUB_TOKEN. The latter is the same token earthly/lunar's release.yml uses to dispatch this workflow in the first place — when it pushes a merge commit, the actor is the token owner (not github-actions[bot]), and on: push workflows fire normally.

A brief YAML comment is added above the env var so the next person to touch this doesn't reset it back to the obvious-looking GITHUB_TOKEN.

Prerequisite

LUNAR_DIST_GITHUB_TOKEN needs to be present as an Actions secret in this repo with repo (or at minimum contents: write + pull-requests: write) scope. If it's already configured in earthly/charts secrets the change is no-op; if not, it needs to be added before the next lunar-hub-v* tag, or the bump workflow will fail at the push step.

@brandonSc — can you confirm whether the secret is already there? If not, mirror whatever's in earthly/lunar Actions secrets.

Test plan

  • Confirm LUNAR_DIST_GITHUB_TOKEN exists in earthly/charts Actions secrets (or add it)
  • Next lunar-hub-v* tag → bump workflow runs → auto-merge happens → release.yml fires on the merge push without manual intervention
  • lunar-X.Y.Z.tgz published as a GitHub release within ~1 min of the bump PR merging

The merge step uses GITHUB_TOKEN, which means the resulting push to main
is attributed to github-actions[bot]. GitHub suppresses workflow runs
for events triggered by GITHUB_TOKEN, so release.yml (on: push: main)
does not fire after the auto-merge — chart-releaser never runs.

Hit on 2026-05-27 with the lunar-2.2.1 bump: PR #52 merged cleanly but
release.yml had to be retriggered via an empty commit on main.

Swapping to LUNAR_DIST_GITHUB_TOKEN (already used in earthly/lunar's
release.yml to dispatch this workflow) attributes the merge to that
token's owner, which does fire downstream workflows.
@me-bender me-bender Bot requested a review from brandonSc May 27, 2026 21:56
@lunar-internal

lunar-internal Bot commented May 27, 2026

Copy link
Copy Markdown

🌒 Earthly Lunar

❌ 2 Failing

  • changelog-exists changelog.changelog-exists - Verifies that a CHANGELOG file exists in the repository root. Detects
    common variants (CHANGELOG.md, CHANGELOG, CHANGES.md, HISTORY.md,
    RELEASES.md). Intended for repos that ship versioned releases — apply
    via lunar-config on: targeting (e.g. public-only) rather than blanketly.
    Reads from .repo.changelog.

  • instruction-file-exists ai.instruction-file-exists - Verifies that an agent instruction file exists at the repository root. Checks
    ai.instructions.all[] which is populated by the ai collector (AGENTS.md) and
    tool-specific collectors via array append (CLAUDE.md, CODEX.md, GEMINI.md).
    Passes if any entry exists.

    • No agent instruction file found at repository root (e.g. AGENTS.md, CLAUDE.md, GEMINI.md)

More Details

✅ 11 Passing

  • branch-protection-enabled vcs.branch-protection-enabled - Requires branch protection rules to be enabled on the default branch.
    Branch protection is the foundation for all other VCS security controls.

  • build-tagged container.build-tagged - Requires container builds to use an explicit image tag via -t/--tag.
    Untagged builds produce anonymous images that cannot be tracked or deployed.

  • codeowners-catchall repo-hygiene.codeowners-catchall - Requires a default catch-all rule (*) in CODEOWNERS so that every file
    in the repository has at least one owner.

8 more...
  • codeowners-exists repo-hygiene.codeowners-exists - Requires a CODEOWNERS file to be present in the repository.
    Checks standard locations: root, .github/, or docs/.

  • codeowners-valid repo-hygiene.codeowners-valid - Validates that the CODEOWNERS file has correct syntax.
    Checks that all owner references use valid formats (@user, @org/team, or email).

  • disallow-force-push vcs.disallow-force-push - Prohibits force pushes to protected branches to preserve commit history.
    Force pushes can destroy audit trails and cause data loss.

  • no-latest container.no-latest - Prevents use of the :latest tag (explicit or implicit) in base images.
    Using :latest creates non-reproducible builds and makes debugging difficult.

  • readme-exists repo-hygiene.readme-exists - Verifies that a README file exists in the repository root.
    Every repository should have basic documentation for discoverability.

  • require-default-branch vcs.require-default-branch - Validates the default branch name matches the required name (default "main").
    Helps standardize branch naming across repositories.

  • require-pull-request vcs.require-pull-request - Requires all changes to go through pull requests before merging.
    Prevents direct pushes to protected branches without review.

  • stable-tags container.stable-tags - Requires base images to use stable tags: digests (sha256:...) or full semver (1.2.3).
    Partial versions like "node:20" can change unexpectedly and break builds.

More Details

@brandonSc brandonSc marked this pull request as ready for review June 1, 2026 18:28
@brandonSc brandonSc requested a review from dchw as a code owner June 1, 2026 18:28
@brandonSc

Copy link
Copy Markdown
Contributor

is that token set that this is depending on? also you have a merge conflict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant