Skip to content

fix(ci): enable CI workflows to trigger on changeset release PRs#3444

Draft
kdaviduik wants to merge 2 commits intomainfrom
kd-fix-release-pr-ci
Draft

fix(ci): enable CI workflows to trigger on changeset release PRs#3444
kdaviduik wants to merge 2 commits intomainfrom
kd-fix-release-pr-ci

Conversation

@kdaviduik
Copy link
Contributor

Summary

  • Fix CI checks not running on changeset release PRs by using PAT for checkout
  • Add temporary debug job to verify token type

Problem

CI checks weren't running on changeset release PRs (like [ci] release 2025.10.0). The root cause is GitHub's security feature that prevents events triggered by GITHUB_TOKEN from creating new workflow runs.

The actions/checkout step was using the default GITHUB_TOKEN, so when the changesets action subsequently created/updated PRs, no CI workflows would trigger.

Solution

Add token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }} to the checkout steps in:

  • release job (for production releases)
  • backfix-release job (for back-fix releases)

When checkout uses a PAT, all subsequent git operations (commits, pushes by the changesets action) are attributed to that token, and those events DO trigger workflows.

Verification

This PR includes a temporary debug job (🔍 Debug - Check PAT identity) that will show:

  • The token's identity (login, type, name)
  • The token prefix (first 4 characters)

For this fix to work, the token must be:

  • Type: User (not Bot)
  • Prefix: ghp_ or github_pat_ (not ghs_)

If the token is a GitHub App installation token, it won't work and will need to be replaced with a real-user PAT.

Test plan

  • Check the debug job output to verify token type
  • If token is correct type, remove debug job and merge
  • Create a test changeset PR to verify CI runs

The recipe system is being re-evaluated, and these failing CI jobs
create confusion for new contributors.

Uses `if: false` at the job level to skip execution while keeping
job definitions visible for future reference. Jobs will show as
"skipped" in GitHub Actions UI rather than being invisible.

To re-enable: remove the `if: false` line from each job.

Affected jobs:
- validate_recipes (ci.yml)
- deploy (deploy-examples.yml)
GitHub's security feature prevents events triggered by GITHUB_TOKEN from
creating new workflow runs. The checkout steps in release.yml were using
the default GITHUB_TOKEN, so when the changesets action created/updated
PRs, no CI workflows would trigger.

By explicitly providing a PAT (SHOPIFY_GH_ACCESS_TOKEN) to the checkout
action, subsequent git operations are attributed to that token's identity,
and those events DO trigger workflows.

Changes:
- Add token parameter to checkout in release job
- Add token parameter to checkout in backfix-release job
- Add temporary debug job to ci.yml to verify token type

The debug job will be removed once we confirm the token is a real-user PAT
(type: User, prefix: ghp_ or github_pat_) rather than a GitHub App token.
@shopify
Copy link
Contributor

shopify bot commented Feb 5, 2026

Oxygen deployed a preview of your kd-fix-release-pr-ci branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Skeleton (skeleton.hydrogen.shop) ✅ Successful (Logs) Preview deployment Inspect deployment February 5, 2026 5:30 PM

Learn more about Hydrogen's GitHub integration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant