fix(ci): kick workflow requires RELEASE_KICK_PAT + loud failure mode (closes #906)#907
Conversation
…906) Defect discovered during v0.57.0 release: kick workflow's GITHUB_TOKEN-authored push cannot trigger downstream pull_request workflows by GitHub design (no-recursion safety), so the release PR stays BLOCKED despite the kick appearing successful. Fix applies "Code-gen self-review" from AGENTS.md (#904): - Failure mode (loud): added a verification step that polls check-runs for 90s and fails the workflow if no non-Vercel checks start. The silent success was the #906 failure pattern. - Default coupling: prefer RELEASE_KICK_PAT secret, fall back to GITHUB_TOKEN with a warning and an immediate exit 1 in the verify step. - Concurrency / auto-detect: preserved from #902. Runbook updated with PAT setup instructions. Local script (scripts/release-please-kick.sh) remains the unconditional fallback — it pushes via user PAT (gh OAuth), bypassing the no-recursion limit. Closes #906.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
River Reviewer
選択されたスキル (0)
スキップされたスキル (87)
優先度サマリー
スコア (参考値)結果(スコア): 96/100 内訳:
指摘
|
| 1. Confirm `RELEASE_KICK_PAT` secret is configured (above). | ||
| 2. Go to **Actions → Release Please Kick → Run workflow**. | ||
| 3. Leave `branch` blank—the workflow auto-detects the open release-please PR. | ||
| 4. The workflow also verifies a non-Vercel check started within 90s; if not, it fails loudly |
There was a problem hiding this comment.
A 90-second timeout for a check run to start can sometimes be too short during periods of high GitHub Actions load or API latency, which may lead to false-positive workflow failures. It would be helpful to add a brief note indicating that the workflow can be safely re-run if it times out due to GitHub latency.
| 4. The workflow also verifies a non-Vercel check started within 90s; if not, it fails loudly | |
| 4. The workflow also verifies a non-Vercel check started within 90s (re-run if it times out due to GitHub latency); if not, it fails loudly |
PlanGate Review
PlanGate review decision: pass
ポリシー: critical=fail / major=fail-if-required (warn) / minor=comment-only / info=skipped — spec: |
Summary
Fixes #906 — defect discovered during v0.57.0 release. The kick workflow's
GITHUB_TOKEN-authored push cannot trigger downstreampull_requestworkflows (GitHub no-recursion safety), so the release PR stays BLOCKED despite the kick appearing successful.Applies Code-gen self-review (AGENTS.md from #904) — specifically the "Failure mode" point that was meant to prevent exactly this kind of silent success.
Changes
commits/{sha}/check-runsfor 90s and fails the workflow if no non-Vercel checks start. The silent success was the fix(ci): release-please-kick workflow needs PAT (GITHUB_TOKEN cannot trigger downstream CI) #906 pattern.RELEASE_KICK_PATsecret preferred; fallback toGITHUB_TOKENemits warnings and then exits 1 in the verify step (rather than completing green with zero effect).Local
scripts/release-please-kick.shremains the unconditional fallback — it pushes via gh OAuth (user PAT), so it bypasses the no-recursion limit. Used to unblock #903 (v0.57.0).Test plan
node scripts/fix-dashes.mjs --checkcleanRELEASE_KICK_PATsecret (manual, post-merge)Codify-then-validate self-check