From a4031b3ec271a2404a3f3a30b7e32660b5a42ae0 Mon Sep 17 00:00:00 2001
From: HiranoMasaaki <lambda.groove@gmail.com>
Date: Sun, 15 Feb 2026 12:35:33 +0000
Subject: [PATCH] fix: use PAT exclusively in release workflow without fallback

Remove GITHUB_TOKEN fallback so missing/expired PAT fails loudly
instead of silently falling back to GITHUB_TOKEN (which doesn't
trigger downstream workflows).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 00d40b62..b319b32f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,9 +49,7 @@ jobs:
           title: 'chore: version packages'
           commit: 'chore: version packages'
         env:
-          # Use PAT to trigger CI workflow on the created PR
-          # GITHUB_TOKEN doesn't trigger other workflows (GitHub security feature)
-          GITHUB_TOKEN: ${{ secrets.PAT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.PAT_GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -59,5 +57,4 @@ jobs:
         if: steps.changesets.outputs.pullRequestNumber
         run: gh pr merge ${{ steps.changesets.outputs.pullRequestNumber }} --auto --squash
         env:
-          # Use PAT so the merge triggers the Release workflow
-          GH_TOKEN: ${{ secrets.PAT_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.PAT_GITHUB_TOKEN }}