fix(blog): use GH_PAT for publish workflow

[antoinedc]

Use GH_PAT instead of GITHUB_TOKEN to bypass branch protection on develop.

[greptile-apps]

Greptile Summary

This PR fixes the blog publish workflow by replacing a direct git push origin develop (which was blocked by branch protection) with a GH_PAT-authenticated flow that creates a short-lived blog/publish-${SLUG} branch, opens a PR, and immediately merges it using gh pr merge --admin. It also adds an Astro build validation step in draft.sh to catch schema/syntax errors before committing, and trims an article description to satisfy the Zod 160-character limit.

Key changes:

• blog-publish.yml: checkout and GH_TOKEN now use secrets.GH_PAT; publish step creates a branch and emits outputs; new "Create and merge PR" step uses --admin to bypass branch protection on develop.
• blog/pipeline/draft.sh: adds npx astro build validation gate between the humanize phase and the commit/push, resetting the project card to detected if the build fails.
• blog/pipeline/prompts/2-draft.md: reinforces the 160-char description constraint with an explicit build-failure warning.
• blog/src/content/blog/the-commerce-layer-erc-8183.md: description shortened to comply with the Zod schema limit.

Issue found:

• The "Create and merge PR" step uses if: steps.resolve.outputs.article != '' as its guard, but the "Publish article" step can exit cleanly with exit 0 (already-published case) without ever writing branch to $GITHUB_OUTPUT. When that happens the step still fires with empty $BRANCH/$TITLE, causing gh pr create to error. The condition should be changed to if: steps.publish.outputs.branch != ''.

Confidence Score: 3/5

• Safe to merge after fixing the wrong step condition; the --admin auto-merge is intentional and scoped to a bot PAT.
• The core approach (PAT + branch + PR + admin merge) is sound and correctly solves the branch-protection bypass problem. The Astro build gate in draft.sh is a clean addition. Score is reduced because the wrong condition on the "Create and merge PR" step (steps.resolve.outputs.article instead of steps.publish.outputs.branch) will cause the workflow to fail whenever it encounters an already-published article, and the orphaned-branch scenario could also block re-runs for the same slug.
• .github/workflows/blog-publish.yml — the step condition and potential orphaned-branch issue need attention before merging.

Important Files Changed

Filename	Overview
.github/workflows/blog-publish.yml	Core workflow change: replaces direct push to develop with a create-branch → gh pr create → gh pr merge --admin flow using GH_PAT. Contains a logic bug where the "Create and merge PR" step uses the wrong condition and will fail when the publish step exits early (already-published article).
blog/pipeline/draft.sh	Adds an Astro build validation gate (npx astro build) before committing a draft article. Clean implementation with proper error handling and card status reset on failure.
blog/pipeline/prompts/2-draft.md	Minor prompt improvement: clarifies that descriptions must be ≤160 characters because the Zod schema in content.config.ts enforces it and the build will fail otherwise.
blog/src/content/blog/the-commerce-layer-erc-8183.md	Shortens the article description to comply with the 160-character Zod schema limit enforced by Astro's content collections.

Sequence Diagram

sequenceDiagram
    participant WD as workflow_dispatch
    participant GHA as GitHub Actions
    participant Repo as Repository
    participant GH as gh CLI (GH_PAT)

    WD->>GHA: trigger (optional slug)
    GHA->>Repo: checkout develop (GH_PAT)
    GHA->>Repo: resolve article path
    alt article found & is draft
        GHA->>Repo: update status draft→published
        GHA->>Repo: git checkout -b blog/publish-{slug}
        GHA->>Repo: git push origin blog/publish-{slug}
        GHA->>GH: gh pr create --base develop --head blog/publish-{slug}
        GH-->>GHA: PR_URL
        GHA->>GH: gh pr merge PR_URL --squash --admin --delete-branch
        GH-->>Repo: squash-merged into develop, branch deleted
    else article already published
        GHA->>GHA: exit 0 (no outputs set)
        Note over GHA: "Create and merge PR" step fires anyway<br/>(bug: condition checks wrong output)
    end

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/blog-publish.yml
Line: 93-94

Comment:
**Wrong condition gate for "Create and merge PR" step**

The condition `if: steps.resolve.outputs.article != ''` does not account for the case where the "Publish article" step exits early with `exit 0` (e.g. when the article is already published — see line 67-68). In that case `steps.publish.outputs.branch` is never set, so `$BRANCH` and `$TITLE` are empty strings, and `gh pr create --head ""` will fail with an error.

The condition should reference the `publish` step's outputs instead:

```suggestion
      - name: Create and merge PR
        if: steps.publish.outputs.branch != ''
```

This ensures the step only runs when the publish step actually created a branch and committed the article.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: .github/workflows/blog-publish.yml
Line: 87

Comment:
**Orphaned branch on downstream failure**

If `gh pr create` or `gh pr merge` (in the next step) fails, the branch `blog/publish-${SLUG}` will persist in the remote repository. A subsequent re-run for the same article will hit a `"branch already exists"` error on `git push origin "$BRANCH"`.

Consider adding a cleanup step that deletes the remote branch on failure, or add a `--force` push / branch-existence check:

```bash
# Before creating the branch, delete any existing remote ref
git push origin ":refs/heads/$BRANCH" 2>/dev/null || true
git checkout -b "$BRANCH"
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 1eb99e4}

[greptile-apps]

Wrong condition gate for "Create and merge PR" step

The condition if: steps.resolve.outputs.article != '' does not account for the case where the "Publish article" step exits early with exit 0 (e.g. when the article is already published — see line 67-68). In that case steps.publish.outputs.branch is never set, so $BRANCH and $TITLE are empty strings, and gh pr create --head "" will fail with an error.

The condition should reference the publish step's outputs instead:

Suggested change

	- name: Create and merge PR
	if: steps.resolve.outputs.article != ''
	- name: Create and merge PR
	if: steps.publish.outputs.branch != ''

This ensures the step only runs when the publish step actually created a branch and committed the article.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/blog-publish.yml
Line: 93-94

Comment:
**Wrong condition gate for "Create and merge PR" step**

The condition `if: steps.resolve.outputs.article != ''` does not account for the case where the "Publish article" step exits early with `exit 0` (e.g. when the article is already published — see line 67-68). In that case `steps.publish.outputs.branch` is never set, so `$BRANCH` and `$TITLE` are empty strings, and `gh pr create --head ""` will fail with an error.

The condition should reference the `publish` step's outputs instead:

```suggestion
      - name: Create and merge PR
        if: steps.publish.outputs.branch != ''
```

This ensures the step only runs when the publish step actually created a branch and committed the article.

How can I resolve this? If you propose a fix, please make it concise.