From 039f4f4a205244aa43cd827012a016690912a61f Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Thu, 7 Oct 2021 10:41:38 +0200
Subject: [PATCH] Improve release workflow (#6646)

* Use PAT to avoid version bump commit problems due to branch protections

Following the instructions of stefanzweifel/git-auto-commit-action [1]
for pushing to branches with branch protections, this changes the create
release workflow to fetch the repo with a PAT (that must belong to an
admin for this to work). As a result, when pushing the version bump
commit, the required status checks are not required (provided the rules
are not applied to admins).

---
1. https://github.com/stefanzweifel/git-auto-commit-action#push-to-protected-branches

* Add warning to not add `on: push` to create release workflow

* Enforce that create-release isn'ttriggered by push events
---
 .github/workflows/create-release.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index e38a2a59..ca08509e 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -1,5 +1,7 @@
 name: Create Release Pull Request
 on:
+  # THIS WORKFLOW SHOULD NEVER BE TRIGGERED ON A PUSH EVENT. IF TRIGGERED ON A
+  # PUSH EVENT IT MAY CREATE AN ENDLESS STREAM OF 'version bump' COMMITS.
   workflow_dispatch:
   schedule:
     # "At 00:00 on Sunday" (https://crontab.guru/once-a-week)
@@ -16,6 +18,7 @@ on:
 jobs:
   release-pr:
     runs-on: ubuntu-latest
+    if: github.event_name != 'push'
     outputs:
       did-create-pr: ${{ steps.release.outputs.did-create-pr }}
       new-version: ${{ steps.release.outputs.new-version }}
@@ -27,11 +30,15 @@ jobs:
   version-bump:
     runs-on: ubuntu-latest
     needs: release-pr
-    if: needs.release-pr.outputs.did-create-pr == 'true'
+    if: |
+      github.event_name != 'push' &&
+      needs.release-pr.outputs.did-create-pr == 'true'
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
+          # Ensure the commit can be pushed regardless of branch protections (must belong to an admin of this repo)
+          token: ${{ secrets.RELEASE_TOKEN }}
           # Ensure we are checked out on the develop branch
           ref: develop
       - name: Bump version