From 732bc68b4926e3721b14c4f1c3635a9ec1e09ae2 Mon Sep 17 00:00:00 2001
From: Michael Shaffer <sickkick40@gmail.com>
Date: Sun, 29 Mar 2026 13:06:25 -0400
Subject: [PATCH] Enhance workflow permissions and token logic

Updated permissions and token handling for workflows.
---
 .github/workflows/release.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c1438b2..44eac66 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,9 +23,11 @@ on:
         type: string
         default: ""
 
+# actions:write — allow gh workflow run when PR checks must be triggered without a PAT
 permissions:
   contents: write
   pull-requests: write
+  actions: write
 
 jobs:
   normalize:
@@ -66,10 +68,14 @@ jobs:
         with:
           ref: ${{ github.event.repository.default_branch }}
           fetch-depth: 0
+          # Optional: fine-grained or classic PAT with repo scope. Without it, GitHub suppresses
+          # pull_request workflows for pushes/PRs done with GITHUB_TOKEN — required checks stay pending.
+          token: ${{ secrets.WORKFLOW_TRIGGER_TOKEN != '' && secrets.WORKFLOW_TRIGGER_TOKEN || github.token }}
 
       - name: Bump manifest, push release branch, publish release, open PR
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.WORKFLOW_TRIGGER_TOKEN != '' && secrets.WORKFLOW_TRIGGER_TOKEN || github.token }}
+          HAS_WORKFLOW_PAT: ${{ secrets.WORKFLOW_TRIGGER_TOKEN != '' }}
           VERSION: ${{ needs.normalize.outputs.version }}
           TAG: ${{ needs.normalize.outputs.tag }}
           BRANCH: ${{ needs.normalize.outputs.branch }}
@@ -147,6 +153,13 @@ jobs:
             echo "::notice::An open PR already exists for \`${BRANCH}\`; skipping \`gh pr create\`."
           fi
 
+          # Without a PAT, GitHub does not run other workflows for this push/PR. Dispatch Validate
+          # on the release branch so hassfest/HACS run and show on the PR (same commit as head).
+          if [ "${HAS_WORKFLOW_PAT}" != "true" ]; then
+            echo "::notice::No WORKFLOW_TRIGGER_TOKEN — triggering Validate on \`${BRANCH}\` so PR checks are not stuck."
+            gh workflow run validate.yaml --ref "$BRANCH"
+          fi
+
       - name: Summary
         if: success()
         env:
@@ -161,4 +174,7 @@ jobs:
             echo "If \`${DEFAULT_BRANCH}\` still shows the old version, open **Pull requests** and merge the PR titled **Merge ${TAG} manifest bump**."
             echo ""
             echo "**Draft releases** use a temporary \`untagged-…\` URL in the job log until you **Publish** the release on GitHub; then the normal \`/releases/tag/${TAG}\` link applies."
+            echo ""
+            echo "### PR checks"
+            echo "If required checks were stuck: GitHub often **does not run** \`pull_request\` workflows for commits pushed with the default \`GITHUB_TOKEN\`. This workflow **dispatches Validate** on the release branch when secret \`WORKFLOW_TRIGGER_TOKEN\` is unset. Optionally add that repo secret (PAT with **contents** + **pull requests**, and **actions** if you use fine-grained) so push/PR use a non-GitHub Actions identity and checks start automatically like a normal PR."
           } >> "$GITHUB_STEP_SUMMARY"