request-token-list - Fix deploy workflow to work with required status checks #32
Description
Problem
The deploy workflow pushes a snapshot commit directly to main, which fails when validate is a required status check. github-actions[bot] cannot bypass required status checks in either classic branch protection or Rulesets.
Currently validate is not a required status check (removed to unblock 1.5.0 in #29). validate still runs on PRs via pr.yml, but branch protection does not enforce it — PRs could theoretically be merged with failing validation.
Impact
Low-risk for this low-traffic repo, but branch protection is weaker than intended.
Proposed Solution
Options (pick one):
- Leave
validateremoved — accept the current state. Validation still runs, just isn't enforced. Simplest. - Restructure the workflow to create a PR for the snapshot commit instead of pushing directly to
main. Re-addvalidateas a required check. Adds complexity (auto-merge, bot approvals). - Reorder workflow steps so Pages deploys before the snapshot push, with
continue-on-error: trueon the snapshot step. Re-addvalidate. Releases always go live, but snapshot push still fails and needs manual follow-up.
Considerations
Why Rulesets don't work
github-actions[bot] (the built-in GITHUB_TOKEN actor) is not available as a bypass actor in Rulesets. Only installable GitHub Apps appear in the Rulesets bypass list. Verified — searching for "github" only shows "GitHub Merge Queue".
Classic branch protection limitations
The bypass list only exempts from PR requirements, not status checks. There is no mechanism to exempt specific actors from required status checks.
Conversation resolution
Classic branch protection has "Require conversation resolution before merging" enabled. Rulesets do not support this feature, so a full migration to Rulesets would lose this.
Previous releases
Releases 1.0.0–1.4.0 succeeded. The validate required check may have been added after those releases.