fix: update workflows to use GITHUB_TOKEN instead of CHARON_TOKEN for improved compatibility

fix: add GITHUB_TOKEN to GoReleaser and fix Go/Node versions
fix: update versioning patterns for major and minor version bumps
2025-12-14 00:11:06 +00:00 · 2025-12-14 00:09:37 +00:00 · 2025-12-14 00:08:57 +00:00
10 changed files with 41 additions and 37 deletions
--- a/.github/workflows/auto-changelog.yml
+++ b/.github/workflows/auto-changelog.yml
@@ -14,4 +14,4 @@ jobs:
      - name: Draft Release
        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
        env:
-          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/auto-versioning.yml
+++ b/.github/workflows/auto-versioning.yml
@@ -23,10 +23,12 @@ jobs:
        with:
          # The prefix to use to create tags
          tag_prefix: "v"
-          # A string which, if present in the git log, indicates that a major version increase is required
-          major_pattern: "(MAJOR)"
-          # A string which, if present in the git log, indicates that a minor version increase is required
-          minor_pattern: "(feat)"
+          # Regex pattern for major version bump (breaking changes)
+          # Matches: "feat!:", "fix!:", "BREAKING CHANGE:" in commit messages
+          major_pattern: "/!:|BREAKING CHANGE:/"
+          # Regex pattern for minor version bump (new features)
+          # Matches: "feat:" prefix in commit messages (Conventional Commits)
+          minor_pattern: "/feat:/"
          # Pattern to determine formatting
          version_format: "${major}.${minor}.${patch}"
          # If no tags are found, this version is used
@@ -66,7 +68,7 @@ jobs:
          # Export the tag for downstream steps
          echo "tag=${TAG}" >> $GITHUB_OUTPUT
        env:
-          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Determine tag
        id: determine_tag
@@ -87,14 +89,14 @@ jobs:
        run: |
          TAG=${{ steps.determine_tag.outputs.tag }}
          echo "Checking for release for tag: ${TAG}"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
          if [ "${STATUS}" = "200" ]; then
            echo "exists=true" >> $GITHUB_OUTPUT
          else
            echo "exists=false" >> $GITHUB_OUTPUT
          fi
        env:
-          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Create GitHub Release (tag-only, no workspace changes)
        if: ${{ steps.semver.outputs.changed == 'true' && steps.check_release.outputs.exists == 'false' }}
--- a/.github/workflows/propagate-changes.yml
+++ b/.github/workflows/propagate-changes.yml
@@ -157,5 +157,5 @@ jobs:
              }
            }
        env:
-          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CPMP_TOKEN: ${{ secrets.CPMP_TOKEN }}
--- a/.github/workflows/release-goreleaser.yml
+++ b/.github/workflows/release-goreleaser.yml
@@ -13,10 +13,10 @@ jobs:
  goreleaser:
    runs-on: ubuntu-latest
    env:
-      # Use the built-in CHARON_TOKEN by default for GitHub API operations.
-      # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret
+      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
+      # If you need to provide a PAT with elevated permissions, add a GITHUB_TOKEN secret
      # at the repo or organization level and update the env here accordingly.
-      CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
@@ -26,12 +26,12 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
-          go-version: '1.25.5'
+          go-version: '1.23.x'

      - name: Set up Node.js
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
        with:
-          node-version: '24.12.0'
+          node-version: '20.x'

      - name: Build Frontend
        working-directory: frontend
@@ -47,7 +47,7 @@ jobs:
        with:
          version: 0.13.0

-      # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+      # GITHUB_TOKEN is set from GITHUB_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN


      - name: Run GoReleaser
@@ -56,4 +56,6 @@ jobs:
          distribution: goreleaser
          version: latest
          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # CGO settings are handled in .goreleaser.yaml via Zig
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -20,10 +20,10 @@ jobs:
          fetch-depth: 1
      - name: Choose Renovate Token
        run: |
-          # Prefer explicit tokens (CHARON_TOKEN > CPMP_TOKEN) if provided; otherwise use the default GITHUB_TOKEN
-          if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
-            echo "Using CHARON_TOKEN" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+          # Prefer explicit tokens (GITHUB_TOKEN > CPMP_TOKEN) if provided; otherwise use the default GITHUB_TOKEN
+          if [ -n "${{ secrets.GITHUB_TOKEN }}" ]; then
+            echo "Using GITHUB_TOKEN" >&2
+            echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
          else
            echo "Using default GITHUB_TOKEN from Actions" >&2
            echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
@@ -32,7 +32,7 @@ jobs:
      - name: Fail-fast if token not set
        run: |
          if [ -z "${{ env.GITHUB_TOKEN }}" ]; then
-            echo "ERROR: No Renovate token provided. Set CHARON_TOKEN, CPMP_TOKEN, or rely on default GITHUB_TOKEN." >&2
+            echo "ERROR: No Renovate token provided. Set GITHUB_TOKEN, CPMP_TOKEN, or rely on default GITHUB_TOKEN." >&2
            exit 1
          fi

--- a/.github/workflows/renovate_prune.yml
+++ b/.github/workflows/renovate_prune.yml
@@ -24,17 +24,17 @@ jobs:
    steps:
      - name: Choose GitHub Token
        run: |
-          if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
-            echo "Using CHARON_TOKEN" >&2
-            echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+          if [ -n "${{ secrets.GITHUB_TOKEN }}" ]; then
+            echo "Using GITHUB_TOKEN" >&2
+            echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
          else
            echo "Using CPMP_TOKEN fallback" >&2
-            echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+            echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
          fi
      - name: Prune renovate branches
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        with:
-          github-token: ${{ env.CHARON_TOKEN }}
+          github-token: ${{ env.GITHUB_TOKEN }}
          script: |
            const owner = context.repo.owner;
            const repo = context.repo.repo;
--- a/docs/beta_release_draft_pr.md
+++ b/docs/beta_release_draft_pr.md
@@ -7,7 +7,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release`
 ## Changes Included

 1. Workflow Token Updates
-   - Prefer `CHARON_TOKEN` with `CPMP_TOKEN` as a fallback to maintain backward compatibility.
+   - Prefer `GITHUB_TOKEN` with `CPMP_TOKEN` as a fallback to maintain backward compatibility.
   - Ensured consistent secret reference across `release.yml` and `renovate_prune.yml`.
 2. Release Workflow Adjustments
   - Fixed environment variable configuration for release publication.
@@ -68,7 +68,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release`

 Marking this as a DRAFT to allow review of token changes before merge. Please:

- Confirm `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) exists in repo secrets.
+- Confirm `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) exists in repo secrets.
 - Review for any missed workflow references.

 ---
--- a/docs/beta_release_draft_pr_body_snapshot.md
+++ b/docs/beta_release_draft_pr_body_snapshot.md
@@ -6,7 +6,7 @@ This draft PR merges recent beta preparation changes from `feature/beta-release`

 ## Changes Included (Summary)

- Workflow token migration: prefer `CHARON_TOKEN` (fallback `CPMP_TOKEN`) across release and maintenance workflows.
+- Workflow token migration: prefer `GITHUB_TOKEN` (fallback `CPMP_TOKEN`) across release and maintenance workflows.
 - Stabilized release workflow prerelease detection and artifact publication.
 - Prior (already merged earlier) CI enhancements: pinned action versions, Docker multi-arch debug tooling reliability, dynamic `dlv` binary resolution.
 - Documentation updates enumerating each incremental workflow/token adjustment for auditability.
@@ -21,7 +21,7 @@ Ensures alpha integration branch inherits hardened CI/release pipeline and updat

 ## Risk & Mitigation

- Secret Name Change: Prefer `CHARON_TOKEN` (keep `CPMP_TOKEN` as a fallback). Mitigation: Verify `CHARON_TOKEN` (or `CPMP_TOKEN`) presence before merge.
+- Secret Name Change: Prefer `GITHUB_TOKEN` (keep `CPMP_TOKEN` as a fallback). Mitigation: Verify `GITHUB_TOKEN` (or `CPMP_TOKEN`) presence before merge.
 - Workflow Fan-out: Reusable workflow path validated locally; CI run (draft) will confirm.

 ## Follow-ups (Out of Scope)
@@ -38,9 +38,9 @@ Ensures alpha integration branch inherits hardened CI/release pipeline and updat

 ## Requested Review Focus

-1. Confirm `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) availability.
+1. Confirm `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) availability.
 2. Sanity-check release artifact matrix remains correct.
-3. Spot any residual `CHARON_TOKEN` or `CPMP_TOKEN` references missed.
+3. Spot any residual `GITHUB_TOKEN` or `CPMP_TOKEN` references missed.

 ---
 Generated draft to align branches; will convert to ready-for-review after validation.
--- a/docs/beta_release_pr_body.md
+++ b/docs/beta_release_pr_body.md
@@ -6,7 +6,7 @@ Draft PR to merge hardened CI/release workflow changes from `feature/beta-releas

 ## Highlights

- Secret token migration: prefer `CHARON_TOKEN` while maintaining support for `CPMP_TOKEN` (fallback) where needed.
+- Secret token migration: prefer `GITHUB_TOKEN` while maintaining support for `CPMP_TOKEN` (fallback) where needed.
 - Release workflow refinements: stable prerelease detection (alpha/beta/rc), artifact matrix intact.
 - Prior infra hardening (already partially merged earlier): pinned GitHub Action SHAs/tags, resilient Delve (`dlv`) multi-arch build handling.
 - Extensive incremental documentation trail in `docs/beta_release_draft_pr.md` plus concise snapshot in `docs/beta_release_draft_pr_body_snapshot.md` for reviewers.
@@ -17,8 +17,8 @@ Most recent snapshot commit: `308ae5dd` (final body content before PR). Full ord

 ## Review Checklist

- Secret `CHARON_TOKEN` (or `CPMP_TOKEN` fallback) exists and has required scopes.
- No lingering `CHARON_TOKEN` or `CPMP_TOKEN` references beyond allowed GitHub-provided contexts.
+- Secret `GITHUB_TOKEN` (or `CPMP_TOKEN` fallback) exists and has required scopes.
+- No lingering `GITHUB_TOKEN` or `CPMP_TOKEN` references beyond allowed GitHub-provided contexts.
 - Artifact list (frontend dist, backend binaries, caddy binaries) still correct for release.

 ## Risks & Mitigations
--- a/docs/github-setup.md
+++ b/docs/github-setup.md
@@ -10,7 +10,7 @@ The Docker build workflow uses GitHub Container Registry (GHCR) to store your im

 ### How It Works

-GitHub Actions automatically uses the built-in secret token to authenticate with GHCR. We recommend creating a `CHARON_TOKEN` secret (preferred); workflows currently still work with `CPMP_TOKEN` for backward compatibility.
+GitHub Actions automatically uses the built-in secret token to authenticate with GHCR. We recommend creating a `GITHUB_TOKEN` secret (preferred); workflows currently still work with `CPMP_TOKEN` for backward compatibility.

 - ✅ Push images to `ghcr.io/wikid82/charon`
 - ✅ Link images to your repository
@@ -172,13 +172,13 @@ When you're ready to release a new version:

 **Problem**: "Error: denied: requested access to the resource is denied"

- **Fix**: This shouldn't happen with `CHARON_TOKEN` or `CPMP_TOKEN` - check workflow permissions
+- **Fix**: This shouldn't happen with `GITHUB_TOKEN` or `CPMP_TOKEN` - check workflow permissions
 - **Verify**: Settings → Actions → General → Workflow permissions → "Read and write permissions" enabled

 **Problem**: Can't pull the image

 - **Fix**: Make the package public (see Step 1 above)
- **Or**: Authenticate with GitHub: `echo $CHARON_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` (or `CPMP_TOKEN` for backward compatibility)
+- **Or**: Authenticate with GitHub: `echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin` (or `CPMP_TOKEN` for backward compatibility)

 ### Docs Don't Deploy
Author	SHA1	Message	Date
GitHub Actions	7ab2ce2617	fix: update workflows to use GITHUB_TOKEN instead of CHARON_TOKEN for improved compatibility	2025-12-14 00:11:06 +00:00
GitHub Actions	34dc485387	fix: add GITHUB_TOKEN to GoReleaser and fix Go/Node versions	2025-12-14 00:09:37 +00:00
GitHub Actions	43b8f75380	fix: update versioning patterns for major and minor version bumps	2025-12-14 00:08:57 +00:00