fix: version sync for fork PRs

[ojowwalker77]

Summary

• Version sync now triggers on push to main (after merge) instead of on PR
• Uses PAT (MATRIX_BOT_TOKEN) for write access to push version commits
• Release workflow triggers via workflow_run after version-sync completes

Problem

Fork PRs run with read-only permissions, so version files weren't getting updated.

Solution

PAT-based bot commit after merge:

1. Fork PR merged → pushes CHANGELOG.md to main
2. version-sync triggers → updates version files → commits with PAT
3. workflow_run triggers release-plugin
4. Release builds with correct version

Setup Required

1. Add MATRIX_BOT_TOKEN secret (PAT with contents:write)
2. Add repo admin to ruleset bypass list (already done)

[greptile-apps]

Greptile Summary

This PR fixes version sync for fork PRs by moving version file updates from PR-triggered jobs to a post-merge, PAT-based workflow. The version-sync workflow now triggers on pushes to main (after merge) and uses MATRIX_BOT_TOKEN for write access instead of relying on fork PR permissions. The release-plugin workflow is updated to trigger via workflow_run after version-sync completes, creating a clean dependency chain.

Key Changes:

• version-sync.yml: Changed trigger from pull_request to push on main; uses PAT (MATRIX_BOT_TOKEN) for commits
• release-plugin.yml: Added workflow_run trigger after Version Sync; properly gates all three trigger types with conditional logic
• Simplified version checking logic removes comprehensive validation of all version files
• Error handling for missing CHANGELOG versions is properly implemented

Confidence Score: 2/5

• This PR solves the fork PR permissions issue but introduces a version sync regression that could allow undetected version file mismatches
• The PR successfully addresses the core problem (fork PR permissions) by implementing a PAT-based post-merge workflow. However, it introduces a regression: the version check was simplified to only verify package.json against CHANGELOG, whereas the original workflow checked all version files (package.json, plugin.json, marketplace.json at both top-level and plugins[0].version). This means version mismatches between files could now go undetected, creating a maintenance risk. The workflow logic itself is sound, but this incomplete version validation is a critical oversight that should be fixed before merging.
• .github/workflows/version-sync.yml - The version check on lines 29-38 needs to validate all version files, not just package.json

Important Files Changed

Filename	Overview
.github/workflows/version-sync.yml	Workflow refactored to run on push to main after merge instead of on PR. Uses PAT for write access. However, the version check now only validates package.json against CHANGELOG instead of checking all three version files (package.json, plugin.json, marketplace.json), allowing potential version mismatches to go undetected.
.github/workflows/release-plugin.yml	Workflow refactored to trigger via workflow_run from Version Sync instead of on direct push to CHANGELOG.md. Properly handles push, workflow_dispatch, and workflow_run trigger types with appropriate conditional logic.

Sequence Diagram

sequenceDiagram
    participant PR as Fork PR
    participant Main as Main Branch
    participant VersionSync as Version Sync Workflow
    participant ReleasePlugin as Release Plugin Workflow
    participant Build as Build Job
    participant Package as Package Job
    participant Release as GitHub Release

    PR->>Main: Merge PR with CHANGELOG.md update
    Main->>VersionSync: Trigger (push to main, CHANGELOG.md changed)
    VersionSync->>VersionSync: Extract version from CHANGELOG
    VersionSync->>VersionSync: Check if versions match
    VersionSync->>Main: Commit version updates with PAT
    Main->>ReleasePlugin: Trigger via workflow_run (success)
    ReleasePlugin->>ReleasePlugin: Get version from package.json
    ReleasePlugin->>ReleasePlugin: Check if release exists
    ReleasePlugin->>Main: Create git tag if needed
    Main->>Build: Build binaries (darwin-arm64, darwin-x64, linux-x64, linux-arm64)
    Build->>Build: Compile with bun
    Build->>Package: Upload artifacts
    Package->>Package: Download all binaries
    Package->>Package: Create archive (tar.gz, zip)
    Package->>Release: Create GitHub Release with assets

Loading

[greptile-apps]

_{2 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[ojowwalker77]

@greptileai reassess

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}