commitMode: 'github-api' is not pushing tags if package name contains / #553
Description
The real problem
Turns out, naming my package alexaka1/package was the issue. This is a perfectly valid name, on npm i would need an @ prefix to my name, but I dont use npm. So this should be fine. And IT IS, if used via git-cli.
Original issue
I have switched to using a dedicated github app, to automate releases.
Here is the workflow in question:
name: "Version packages"
on:
push:
branches:
- main
concurrency: ${{ github.workflow }}-${{ github.ref }}-changesets
permissions:
contents: read
jobs:
check-release:
name: Prepare release
runs-on: ubuntu-24.04-arm
environment: release
timeout-minutes: 10
defaults:
run:
shell: bash
permissions:
pull-requests: write
contents: write
issues: read
id-token: write
steps:
# ...
- name: Generate Github App token to create releases
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
id: app-token
with:
app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
fetch-depth: 0
- name: GitHub API only supports non-executable files and directories
# https://github.com/changesets/action/issues/523
run: git ls-files | while read -r file; do [ -x "$file" ] && chmod -x "$file" || true; done
# pnpm install ...
- name: Create Release Pull Request or Prepare release
id: changesets
uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
with:
version: pnpm run version
publish: pnpm exec changeset publish
commitMode: 'github-api'
createGithubReleases: 'true'
env:
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}config.json:
{
"$schema": "https://unpkg.com/@changesets/config@3.0.4/schema.json",
"changelog": ["@changesets/changelog-github", { "repo": "alexaka1/distroless-dotnet-healthchecks" }],
"commit": false,
"fixed": [],
"linked": [],
"access": "restricted",
"baseBranch": "main",
"updateInternalDependencies": "patch",
"ignore": [],
"privatePackages": {
"version": true,
"tag": true
}
}The github app in question has these permissions:
- Read access to issues and metadata
- Read and write access to code and pull requests
I assume this is enough.
The logs show this when running:
Run changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba
with:
version: pnpm run version
publish: pnpm exec changeset publish
commitMode: github-api
createGithubReleases: true
setupGitUser: true
env:
PNPM_HOME: /home/runner/setup-pnpm/node_modules/.bin
GITHUB_TOKEN: ***
setting git user
setting GitHub credentials
No changesets found. Attempting to publish any unpublished packages to npm
No user .npmrc file found, creating one
/home/runner/setup-pnpm/node_modules/.bin/pnpm exec changeset publish
🦋 success found untagged projects:
🦋 alexaka1/distroless-dotnet-healthchecks@1.5.2
🦋 New tag: alexaka1/distroless-dotnet-healthchecks@1.5.2
However the tag is not pushed (nor is the release created) and I have no idea why. The reason I switched to github app instead of the implicit token is because I have setup push triggers on tags.
I do also have rulesets setup:
Additionally require signed commits, and block force pushes are also ticked.
Here is what works:
- PR creation for version bumps, with signed commit, ie: Version Packages alexaka1/distroless-dotnet-healthchecks#993
- using the git-cli to create and push tags, (by using the release bot's token as PAT) ie: https://github.com/alexaka1/distroless-dotnet-healthchecks/releases/tag/alexaka1%2Fdistroless-dotnet-healthchecks%400.0.0-20251222144934
So the github app token retriaval works fine, otherwise it would not be able to create the PR and push commits.
And the rulesets also work fine, otherwise it would not be able to push the git tag via cli, because only the bot user is allowed to do that.