Skip to content

fix(blog): guard PR step on publish outputs#692

Merged
antoinedc merged 2 commits intodevelopfrom
feature/blog-stack
Mar 14, 2026
Merged

fix(blog): guard PR step on publish outputs#692
antoinedc merged 2 commits intodevelopfrom
feature/blog-stack

Conversation

@antoinedc
Copy link
Member

@antoinedc antoinedc commented Mar 14, 2026

Prevents failure when article is already published.

Antoine de Chevigné and others added 2 commits March 14, 2026 13:19
@claude
fix(blog): use GH_PAT for publish workflow to bypass branch protection
1eb99e4 
GITHUB_TOKEN lacks admin permissions to merge PRs that require
approving reviews. Use GH_PAT (already available as repo secret)
for both checkout and PR merge.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude
fix(blog): only create PR when article was actually updated
e8281de 
The "Create and merge PR" step was running even when the article
was already published, causing failures with empty branch/slug vars.
Now gates on publish step outputs being set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@antoinedc antoinedc merged commit 03342f2 into develop Mar 14, 2026
2 checks passed
@antoinedc antoinedc deleted the feature/blog-stack branch March 14, 2026 12:20
@greptile-apps
Copy link

greptile-apps bot commented Mar 14, 2026

Greptile Summary

This PR fixes the blog publish workflow so that triggering it against an already-published article no longer causes the "Create and merge PR" step to fail with empty variables.

Key changes:

  • Guard condition fix (core of this PR): The if condition on the "Create and merge PR" step is changed from steps.resolve.outputs.article != '' to steps.publish.outputs.slug != ''. When an article is already published, the publish step exits early (exit 0) without writing any outputs, so slug is empty and the PR step is correctly skipped.
  • Token switch (GITHUB_TOKENGH_PAT): Both the actions/checkout step and GH_TOKEN for the gh CLI now use secrets.GH_PAT. This is necessary for gh pr merge --admin to succeed — GITHUB_TOKEN does not carry admin-level bypass rights, so the merge would have failed previously on a protected develop branch. Note that GH_PAT must be kept valid and rotated manually, unlike the auto-generated GITHUB_TOKEN.

Confidence Score: 4/5

  • Safe to merge — the fix is correct and well-targeted with one minor operational consideration around admin-bypass merge.
  • The condition change is logically correct: publish.outputs.slug is only set when a new branch is pushed, so the guard accurately reflects whether PR creation is needed. The token switch to GH_PAT is the appropriate credential for admin-level merges. The one point of note is that --admin will bypass branch protections going forward, but this is intentional for the automated publish pipeline.
  • No files require special attention beyond the one inline note on --admin merge behavior.

Important Files Changed

Filename Overview
.github/workflows/blog-publish.yml Two targeted changes: the guard condition on the "Create and merge PR" step is corrected from steps.resolve.outputs.article != '' to steps.publish.outputs.slug != '' (properly skips PR creation when article is already published), and both token references are switched from GITHUB_TOKEN to GH_PAT to enable admin-level merge. Changes are correct and well-scoped.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([workflow_dispatch]) --> B[Checkout @ develop\ntoken: GH_PAT]
    B --> C{Resolve Article\nstep: resolve}

    C -->|slug input provided| D[Find article by slug]
    C -->|no slug input| E[Find oldest draft]

    D -->|not found| F([exit 1 — error])
    E -->|none found| G([exit 0 — nothing to do])
    D -->|found| H[Set resolve.outputs.article]
    E -->|found| H

    H --> I{Publish Article\nstep: publish\nif: resolve.outputs.article != ''}

    I -->|status: draft| J[Update frontmatter\nCreate branch & push\nSet slug/branch/title outputs]
    I -->|status: published| K([exit 0 — already published\nno outputs set])
    I -->|no status field| L([exit 1 — warning])

    J --> M{Create and merge PR\nif: publish.outputs.slug != ''}
    K -.->|slug is empty| N([Step SKIPPED ✓])
    M -->|slug set| O[gh pr create\ngh pr merge --admin\nGH_TOKEN: GH_PAT]
    O --> P([Done — article live])

    style K fill:#f9c,stroke:#c66
    style N fill:#cfc,stroke:#6c6
    style F fill:#f9c,stroke:#c66
    style L fill:#f9c,stroke:#c66
    style P fill:#cfc,stroke:#6c6
Loading

Fix All in Claude Code

Prompt To Fix All With AI 
This is a comment left during a code review.
Path: .github/workflows/blog-publish.yml
Line: 107

Comment:
**`--admin` bypasses branch protections**

`gh pr merge --admin` merges the PR as a repository admin, bypassing all required status checks and branch protection rules on `develop`. With `GITHUB_TOKEN` this would have silently failed (no admin rights), but with a properly-scoped `GH_PAT` this will now succeed unconditionally — even if CI checks haven't passed.

This is likely intentional for a fully-automated publish pipeline, but it's worth confirming and ideally documenting in a comment above this line. If the `develop` branch later gets required checks added, they will be bypassed silently here.

How can I resolve this? If you propose a fix, please make it concise.

Last reviewed commit: e8281de

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antoinedc