actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-14 05:50:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix(ci): add gh auth setup-git to release-plz.sh (#473)
Some checks failed
release-plz / release-plz (push) Has been cancelled
Details
build-test / build (push) Has been cancelled
Details
zizmor / zizmor (push) Has been cancelled
Details
Continuous Integration / TypeScript Tests (push) Has been cancelled
Details
Check dist/ / Check dist/ (push) Has been cancelled
Details
CodeQL / Analyze (push) Has been cancelled
Details
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
Details
build-test / alpine (push) Has been cancelled
Details
build-test / macos (push) Has been cancelled
Details
build-test / ubuntu (push) Has been cancelled
Details
build-test / windows (push) Has been cancelled
Details
build-test / specific_version (push) Has been cancelled
Details
build-test / checksum_failure (push) Has been cancelled
Details
build-test / custom_cache_key (push) Has been cancelled
Details
build-test / fetch_from_github (push) Has been cancelled
Details
build-test / final (push) Has been cancelled
Details

Browse source 
## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.

Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.

## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
> 
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
> 
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f69419101e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
jdx 2026-05-12 16:20:22 -04:00 committed by GitHub
parent 46bb674500
commit a0eaf7aa03
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
scripts/release-plz.sh
View file

@ -47,6 +47,11 @@ if [ -n "$latest_release_version" ] && [ "$cur_pkg_version" = "$latest_release_v
git config user.name mise-en-dev
git config user.email 123107610+mise-en-dev@users.noreply.github.com
# Configure git to use gh's credential helper. The checkout step uses
# persist-credentials: false (per zizmor's artipacked audit), so the
# token isn't written to .git/config and raw `git push` would 403.
gh auth setup-git
# Create a PR with the version bump
npm version "${version#v}" --no-git-tag-version