From 09d695f82d0e8bf9688e03976f4fc90ff51eeba6 Mon Sep 17 00:00:00 2001
From: David Meister <thedavidmeister@gmail.com>
Date: Sat, 23 May 2026 09:20:56 +0000
Subject: [PATCH 1/2] feat: make PUBLISH_PRIVATE_KEY/CI_GIT_EMAIL/CI_GIT_USER
 optional in autopublish

---
 .github/workflows/rainix-autopublish.yaml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/rainix-autopublish.yaml b/.github/workflows/rainix-autopublish.yaml
index ddb65a6..3fecac1 100644
--- a/.github/workflows/rainix-autopublish.yaml
+++ b/.github/workflows/rainix-autopublish.yaml
@@ -18,11 +18,11 @@ on:
         default: ''
     secrets:
       PUBLISH_PRIVATE_KEY:
-        required: true
+        required: false
       CI_GIT_EMAIL:
-        required: true
+        required: false
       CI_GIT_USER:
-        required: true
+        required: false
       CARGO_REGISTRY_TOKEN:
         required: true
       NPM_PUBLISH_PRIVATE_TOKEN:
@@ -39,6 +39,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          # PUBLISH_PRIVATE_KEY is a deploy key whose push events trigger
+          # downstream workflows (unlike GITHUB_TOKEN pushes which don't).
+          # If the consumer hasn't set it, ssh-key is empty and checkout
+          # falls back to GITHUB_TOKEN over HTTPS — pushes still succeed,
+          # they just won't trigger tag-listening workflows.
           ssh-key: ${{ secrets.PUBLISH_PRIVATE_KEY }}
           fetch-depth: 0
       - uses: nixbuild/nix-quick-install-action@v30
@@ -56,8 +61,8 @@ jobs:
         run: nix develop github:rainlanguage/rainix#rust-shell -c cargo test -p ${{ inputs.crate }}
       - name: Git config
         run: |
-          git config --global user.email "${{ secrets.CI_GIT_EMAIL }}"
-          git config --global user.name "${{ secrets.CI_GIT_USER }}"
+          git config --global user.email "${{ secrets.CI_GIT_EMAIL || 'github-actions[bot]@users.noreply.github.com' }}"
+          git config --global user.name "${{ secrets.CI_GIT_USER || 'github-actions[bot]' }}"
       # Detect cargo changes.
       - name: Cargo hashes
         id: cargo

From 504712cb3ff556dd0b34a8a1ef663b6bcade92d3 Mon Sep 17 00:00:00 2001
From: David Meister <thedavidmeister@gmail.com>
Date: Sat, 23 May 2026 09:21:41 +0000
Subject: [PATCH 2/2] ci: drop fetch-depth 0 from autopublish checkout

---
 .github/workflows/rainix-autopublish.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/rainix-autopublish.yaml b/.github/workflows/rainix-autopublish.yaml
index 3fecac1..ba0ad0e 100644
--- a/.github/workflows/rainix-autopublish.yaml
+++ b/.github/workflows/rainix-autopublish.yaml
@@ -45,7 +45,6 @@ jobs:
           # falls back to GITHUB_TOKEN over HTTPS — pushes still succeed,
           # they just won't trigger tag-listening workflows.
           ssh-key: ${{ secrets.PUBLISH_PRIVATE_KEY }}
-          fetch-depth: 0
       - uses: nixbuild/nix-quick-install-action@v30
         with:
           nix_conf: |