.github/workflows/release.ymlconfiguration for Node projects
package.jsonchanges to a
GITHUB_TOKENcannot be used if branch protection is enabled for the target branch. It is not advised to mitigate this limitation by overriding an automatically populated
GITHUB_TOKENvariable with a Personal Access Tokens, as it poses a security risk. Since Secret Variables are available for Workflows triggered by any branch, it becomes a potential vector of attack, where a Workflow triggered from a non-protected branch can expose and use a token with elevated permissions, yielding branch protection insignificant. One can use Personal Access Tokens in trusted environments, where all developers should have the ability to perform administrative actions in the given repository and branch protection is enabled solely for convenience purposes, to remind about required reviews or CI checks.
persist-credentialsoption needs to be
false, otherwise the generated
GITHUB_TOKENwill interfere with the custom one. Example: