From 77f72f6fc8a4e36bd0d9ba83e7c0e30a4a2c4790 Mon Sep 17 00:00:00 2001 From: Kazuki Yamada Date: Sat, 30 May 2026 22:35:00 +0900 Subject: [PATCH] ci(schema): Deliver schema updates via PR instead of direct push to main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit intent(schema-update): the Update Schema workflow's direct push to main fails at every version bump — the branch ruleset rejects it (GH013, pull_request required) because github-actions[bot] is not in the bypass list (only the admin role is) decision(schema-update): on main (push / workflow_dispatch) open a PR via peter-evans/create-pull-request instead of pushing; keep the existing git-auto-commit-into-PR-branch behavior for pull_request events so schema changes still ride along with the PR that caused them decision(schema-token): use the existing COMMITTER_TOKEN PAT so the generated PR triggers CI and is mergeable; the create-pull-request step is gated to non-pull_request events, so the PAT is never exposed to fork-triggered runs constraint(branch-ruleset): main requires PR + 1 approving + code-owner review with no required status checks, so the schema PR is merged by the admin (bypass) — typically one click per release Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/schema-update.yml | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/.github/workflows/schema-update.yml b/.github/workflows/schema-update.yml index b408e100..6f41a5c7 100644 --- a/.github/workflows/schema-update.yml +++ b/.github/workflows/schema-update.yml @@ -9,6 +9,7 @@ on: permissions: contents: write + pull-requests: write jobs: generate-schema: @@ -24,9 +25,32 @@ jobs: cache: npm - run: npm ci - run: node --run website-generate-schema - - uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 + + # On pull requests, commit the regenerated schema back into the PR branch + # so the schema change rides along with the PR that caused it. + - if: github.event_name == 'pull_request' + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 with: commit_message: 'chore(schema): auto generate schema' commit_user_name: "github-actions[bot]" commit_user_email: "github-actions[bot]@users.noreply.github.com" commit_author: "github-actions[bot] " + + # On main (e.g. after a version bump), direct pushes are blocked by the + # branch ruleset (pull_request required), so deliver the regenerated + # schema as a PR instead. COMMITTER_TOKEN is used so the PR triggers CI + # and is mergeable. + - if: github.event_name != 'pull_request' + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 + with: + token: ${{ secrets.COMMITTER_TOKEN }} + commit-message: 'chore(schema): auto generate schema' + branch: chore/schema-update + delete-branch: true + title: 'chore(schema): Update configuration JSON schema' + body: | + Automated schema update generated by the Update Schema workflow. + + Direct pushes to `main` are blocked by the branch ruleset, so the + regenerated schema is delivered as this PR instead. + author: 'github-actions[bot] '