From 27dfaab36019d30f452332bbc56494cfb7a40c4b Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Wed, 8 Apr 2026 18:26:21 +0300
Subject: [PATCH] ci: pass PAT to action-gh-release so release events propagate
 (#44)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub Actions deliberately does not propagate workflow events triggered
by the default GITHUB_TOKEN — a safety feature against infinite loops.
softprops/action-gh-release falls back to GITHUB_TOKEN when no `token`
is supplied, so the resulting `release: published` event was silently
swallowed and never reached homebrew-bump.yml.

Discovered shipping v0.10.1: tag pushed cleanly, crates.io published
cleanly, GitHub release page created cleanly, but the brew tap never
auto-bumped. Had to trigger homebrew-bump.yml manually via
workflow_dispatch.

Fix: pass HOMEBREW_TAP_GITHUB_TOKEN explicitly. This is already a PAT
(used by homebrew-bump.yml to push cross-repo to razvandimescu/
homebrew-tap), so reusing it keeps the secret surface flat. PAT-authored
release events are the documented escape hatch from the GITHUB_TOKEN
no-propagation rule.

Applies to v0.10.2+. v0.10.1 was bumped manually.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 057a8d0..3396667 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -103,6 +103,14 @@ jobs:
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
+          # Use a PAT (not the default GITHUB_TOKEN) so the resulting
+          # `release: published` event propagates to downstream workflows
+          # like homebrew-bump.yml. Events triggered by GITHUB_TOKEN are
+          # deliberately not propagated by GitHub Actions to prevent
+          # infinite loops; PAT-authored events are the documented escape
+          # hatch. Reusing HOMEBREW_TAP_GITHUB_TOKEN (already a PAT used
+          # by homebrew-bump.yml itself) keeps the secret surface flat.
+          token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           generate_release_notes: true
           files: |
             *.tar.gz