Skip to content

docs: channel branches need environment deployment-branch allowances#106

Merged
theoephraim merged 1 commit into
nextfrom
docs/channel-env-branch-protection
Jun 12, 2026
Merged

docs: channel branches need environment deployment-branch allowances#106
theoephraim merged 1 commit into
nextfrom
docs/channel-env-branch-protection

Conversation

@theoephraim

@theoephraim theoephraim commented Jun 12, 2026

Copy link
Copy Markdown
Member

When the publish job runs in a GitHub Environment with deployment branch restrictions (our recommended hardening restricts it to main), prerelease channel branches can't enter the environment — with trusted publishing this means OIDC token requests are rejected and channel publishes fail.

Adds reminders in both places users would hit this:

  • docs/prereleases.md — setup step 3 (adding the channel branch to the release workflow) now calls out updating the environment's allowed deployment branches.
  • docs/github-actions.md — the "restrict deployment branches to main" hardening bullet now notes channel branches must be added to the allowed list.

@github-actions

github-actions Bot commented Jun 12, 2026

Copy link
Copy Markdown

bumpy-frog

This PR includes an empty bump file — no version bump is needed.

This comment is maintained by bumpy.

@theoephraim theoephraim merged commit 8f2fae7 into next Jun 12, 2026
4 checks passed
@theoephraim theoephraim mentioned this pull request Jun 12, 2026
Merged
theoephraim added a commit that referenced this pull request Jun 13, 2026
@theoephraim @bumpy-bot
Promote next channel to stable (@varlock/bumpy 1.14.0) (#110)
60e1f7a 
Promotes the `next` prerelease channel to stable. This merge carries the
cycle's accumulated bump files (in `.bumpy/next/`) into main — versions
never diverged, so the diff is the feature work plus file moves.

On merge, main's release workflow will open the ordinary stable version
PR: `@varlock/bumpy` → **1.14.0**, with a consolidated changelog entry
built from the cycle's bump files. The `@next` dist-tag has shipped
`1.14.0-rc.0` and `1.14.0-rc.1` through this cycle.

What's in the cycle:

- **Prerelease channels**
([#104](#104)) — branch-based
prerelease lines; versions derived at publish time, never committed.
- **Deterministic channel release PR titles**
([#107](#107)) — wildcard `rc.x`
counters in PR titles/bodies/commits so they can't drift from the
registry; package count for multi-package cycles. Validated live on
[#109](#109).
- **Docs** ([#106](#106)) —
environment deployment-branch allowances for channel branches with
trusted publishing.

---------

Co-authored-by: bumpy 🐸 <bumpy.bot@varlock.dev>
Co-authored-by: bumpy-bot <276066384+bumpy-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theoephraim