From ea5584ee45d6febe73867e73490c999f1406380a Mon Sep 17 00:00:00 2001 From: finalerock44 <77282157+finalerock44@users.noreply.github.com> Date: Wed, 24 Jun 2026 18:24:03 +0100 Subject: [PATCH] fix: stop CLA locking release PRs (breaks release pipeline) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CLA Assistant action defaults lock-pullrequest-aftermerge=true, so merging a release-please PR locked it; release-please then failed trying to comment on the locked PR, killing the Release job before npm publish + binary upload ran (seen on v5.0.0-beta.2). Set lock-pullrequest-aftermerge=false. Also skip release-please PRs in claude-code-review (version bumps — nothing to review, and it must never block a release). --- .github/workflows/cla.yml | 5 +++++ .github/workflows/claude-code-review.yml | 9 +++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index a0306ed..ba697bc 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -59,6 +59,11 @@ jobs: path-to-signatures: "signatures/version1/cla.json" path-to-document: "https://github.com/devicecloud-dev/dcd-cli/blob/dev/CLA.md" branch: "cla-signatures" + # Do NOT lock the PR on merge (the action's default is true). release-please + # comments on its release PR *after* merge; a locked conversation makes that + # comment fail and takes down the whole Release job (npm publish + binaries + # never run). Keeping this false is load-bearing for the release pipeline. + lock-pullrequest-aftermerge: false # Internal maintainers (covered by employment/CCLA) + bots skip the prompt. allowlist: riglar,finalerock44,dependabot[bot],renovate[bot],*[bot] # Customise the bot's prompts if desired: diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 3419419..1eac5d0 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -12,10 +12,11 @@ on: jobs: claude-review: - # The review needs CLAUDE_CODE_OAUTH_TOKEN, which is NOT exposed to PRs that - # run without secrets — Dependabot PRs and PRs from forks. Skip them so the - # check doesn't fail with an empty token; same-repo PRs only. - if: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' }} + # Skip PRs we shouldn't (or can't) review: + # - Dependabot / forks: no CLAUDE_CODE_OAUTH_TOKEN, so the action would fail. + # - release-please release PRs: just version bumps + changelog — nothing to + # review, and it must never block a release. + if: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' && !startsWith(github.head_ref, 'release-please--') }} runs-on: ubuntu-latest permissions: contents: read