63ac69a222
Reverts PR #44's approach of swapping GITHUB_TOKEN for a PAT on action-gh-release. That approach worked in principle but failed in practice during the v0.10.2 cut: HOMEBREW_TAP_GITHUB_TOKEN is a fine-grained PAT scoped only to razvandimescu/homebrew-tap, so when action-gh-release tried to create a release on razvandimescu/numa it got 403 Resource not accessible. v0.10.2 had to be recovered manually via `gh release create` from a user PAT. Root cause of the original bug (from #44): GitHub Actions deliberately does not propagate workflow events triggered by GITHUB_TOKEN, so a release created by GITHUB_TOKEN silently failed to fire homebrew-bump's `release: published` trigger. Fix: sidestep the event-propagation rule entirely by invoking homebrew-bump.yml directly as a reusable workflow via `workflow_call`. - release.yml: drop the `token:` override on action-gh-release (reverts to GITHUB_TOKEN default, which v0.10.0 and v0.10.1 used successfully) and add a new `bump-homebrew` job that `needs: release` and `uses:` homebrew-bump.yml with `secrets: inherit`. - homebrew-bump.yml: add `workflow_call` trigger with a `version` input, remove the `release: published` trigger (no longer needed), keep `workflow_dispatch` for manual recovery, and collapse the version determination step to a single `inputs.version` read. Each token now does exactly what its scope permits: - GITHUB_TOKEN creates the release on numa (contents: write, default) - HOMEBREW_TAP_GITHUB_TOKEN pushes to homebrew-tap (unchanged) The tap update becomes a child job in the release run, so failures are visible in one place instead of "why didn't the release event fire?" mysteries. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.3 KiB
3.3 KiB