From a58bf49818d472df9a733f8a104fe3ba73ce06fb Mon Sep 17 00:00:00 2001
From: Zbigniew Sobiecki <zbigniew@sobiecki.name>
Date: Wed, 18 Feb 2026 17:43:18 +0000
Subject: [PATCH] fix(ci): use PAT in release workflow to trigger downstream
 deploys

Pushes made by the default GITHUB_TOKEN do not trigger other workflows
(GitHub's loop-prevention policy). Switch the release PR steps to use
GHCR_PAT so the merge push to main is attributed to a real user and
correctly triggers the Build and Deploy workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 58694519..841ee93a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -76,7 +76,7 @@ jobs:
             exit 1
           fi
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.GHCR_PAT }}
 
       - name: Create release PR
         if: ${{ !inputs.dry_run }}
@@ -94,7 +94,7 @@ jobs:
           echo "PR_NUMBER=$PR_NUMBER" >> "$GITHUB_ENV"
           echo "PR_URL=$PR_URL" >> "$GITHUB_ENV"
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.GHCR_PAT }}
 
       - name: Enable auto-merge
         if: ${{ !inputs.dry_run }}
@@ -102,7 +102,7 @@ jobs:
           gh pr merge "$PR_NUMBER" --auto --merge
           echo "Auto-merge enabled on PR #$PR_NUMBER. It will merge once required checks pass."
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.GHCR_PAT }}
 
       - name: Write step summary (post-create)
         if: ${{ !inputs.dry_run }}