openhoo · wakemeup0 · May 25, 2026 · May 25, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,48 +20,54 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+    env:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
     steps:
-      - name: Require release token
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      - name: Check release token
+        id: release-token
         run: |
           set -euo pipefail
           if [[ -z "${RELEASE_TOKEN}" ]]; then
-            echo "::error::Configure RELEASE_TOKEN with permission to push release PR branches and open pull requests."
-            exit 1
+            echo "::notice::Skipping release preparation because RELEASE_TOKEN is not configured."
+            echo "configured=false" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
+          echo "configured=true" >> "$GITHUB_OUTPUT"
 
       - name: Checkout
+        if: steps.release-token.outputs.configured == 'true'
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: main
 
       - name: Set up Bun
+        if: steps.release-token.outputs.configured == 'true'
         uses: oven-sh/setup-bun@v2
         with:
           bun-version: 1.3.14
 
       - name: Install dependencies
+        if: steps.release-token.outputs.configured == 'true'
         run: bun install --frozen-lockfile
 
       - name: Configure release git author
-        env:
-          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        if: steps.release-token.outputs.configured == 'true'
         run: |
           set -euo pipefail
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git remote set-url origin "https://x-access-token:${RELEASE_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
 
       - name: Prepare release
+        if: steps.release-token.outputs.configured == 'true'
         id: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: bun run release --no-push --no-github
 
       - name: Ensure release PR runs CI
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         run: |
           set -euo pipefail
           subject="$(git log -1 --pretty=%s)"
@@ -72,7 +78,7 @@ jobs:
           fi
 
       - name: Open release PR
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         env:
           GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           RELEASE_VERSION: ${{ steps.release.outputs.version }}

diff --git a/README.md b/README.md
@@ -87,4 +87,6 @@ jobs:
 
 `actions/lint` automatically uses the PR base/head range on pull requests and
 `--last` on pushes. `actions/release` exposes `published`, `version`, `tag`, and
-`releases-json` outputs for release PR and downstream publishing jobs.
+`releases-json` outputs for release PR and downstream publishing jobs. Release
+PR preparation should be skipped until `RELEASE_TOKEN` is configured, so regular
+main CI stays green before release automation is enabled.
diff --git a/actions/README.md b/actions/README.md
@@ -41,4 +41,6 @@ repositories.
 Use `steps.release.outputs.published`, `version`, `tag`, and `releases-json`
 to open release PRs or gate downstream package, Docker, or archive publishing
 jobs. For repositories where `main` requires pull requests, use a
-`RELEASE_TOKEN` that can push the release branch and open the release PR.
+`RELEASE_TOKEN` that can push the release branch and open the release PR. Skip
+release preparation when that token is absent so normal main CI does not fail
+before release automation is enabled.
diff --git a/dist/cli.js b/dist/cli.js
@@ -1172,24 +1172,29 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+    env:
+      RELEASE_TOKEN: \${{ secrets.RELEASE_TOKEN }}
     steps:
-      - name: Require release token
-        env:
-          RELEASE_TOKEN: \${{ secrets.RELEASE_TOKEN }}
+      - name: Check release token
+        id: release-token
         run: |
           set -euo pipefail
           if [[ -z "\${RELEASE_TOKEN}" ]]; then
-            echo "::error::Configure RELEASE_TOKEN with permission to push release PR branches and open pull requests."
-            exit 1
+            echo "::notice::Skipping release preparation because RELEASE_TOKEN is not configured."
+            echo "configured=false" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
+          echo "configured=true" >> "$GITHUB_OUTPUT"
 
       - name: Checkout
+        if: steps.release-token.outputs.configured == 'true'
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: main
 
       - name: Prepare release
+        if: steps.release-token.outputs.configured == 'true'
         id: release
         uses: ${actionOwnerRepo}/actions/release@${actionRef}
         with:
@@ -1201,7 +1206,7 @@ jobs:
           install-command: bun install --frozen-lockfile
 
       - name: Ensure release PR runs CI
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         run: |
           set -euo pipefail
           subject="$(git log -1 --pretty=%s)"
@@ -1212,7 +1217,7 @@ jobs:
           fi
 
       - name: Open release PR
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         env:
           GH_TOKEN: \${{ secrets.RELEASE_TOKEN }}
           RELEASE_VERSION: \${{ steps.release.outputs.version }}

diff --git a/src/workflow.ts b/src/workflow.ts
@@ -112,24 +112,29 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+    env:
+      RELEASE_TOKEN: \${{ secrets.RELEASE_TOKEN }}
     steps:
-      - name: Require release token
-        env:
-          RELEASE_TOKEN: \${{ secrets.RELEASE_TOKEN }}
+      - name: Check release token
+        id: release-token
         run: |
           set -euo pipefail
           if [[ -z "\${RELEASE_TOKEN}" ]]; then
-            echo "::error::Configure RELEASE_TOKEN with permission to push release PR branches and open pull requests."
-            exit 1
+            echo "::notice::Skipping release preparation because RELEASE_TOKEN is not configured."
+            echo "configured=false" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
+          echo "configured=true" >> "$GITHUB_OUTPUT"
 
       - name: Checkout
+        if: steps.release-token.outputs.configured == 'true'
         uses: actions/checkout@v6
         with:
           fetch-depth: 0
           ref: main
 
       - name: Prepare release
+        if: steps.release-token.outputs.configured == 'true'
         id: release
         uses: ${actionOwnerRepo}/actions/release@${actionRef}
         with:
@@ -141,7 +146,7 @@ jobs:
           install-command: bun install --frozen-lockfile
 
       - name: Ensure release PR runs CI
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         run: |
           set -euo pipefail
           subject="$(git log -1 --pretty=%s)"
@@ -152,7 +157,7 @@ jobs:
           fi
 
       - name: Open release PR
-        if: steps.release.outputs.published == 'true'
+        if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'
         env:
           GH_TOKEN: \${{ secrets.RELEASE_TOKEN }}
           RELEASE_VERSION: \${{ steps.release.outputs.version }}

diff --git a/tests/workflow.test.ts b/tests/workflow.test.ts
@@ -48,6 +48,12 @@ describe("GitHub Actions integration", () => {
     expect(workflows.release).toContain("contains(github.event.workflow_run.head_commit.message, 'chore(release):')");
     expect(workflows.release).toContain("Prepare release PR");
     expect(workflows.release).toContain("RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}");
+    expect(workflows.release).toContain("Check release token");
+    expect(workflows.release).toContain("Skipping release preparation because RELEASE_TOKEN is not configured.");
+    expect(workflows.release).toContain("if: steps.release-token.outputs.configured == 'true'");
+    expect(workflows.release).toContain(
+      "if: steps.release-token.outputs.configured == 'true' && steps.release.outputs.published == 'true'",
+    );
     expect(workflows.release).toContain('push: "false"');
     expect(workflows.release).toContain('github: "false"');
     expect(workflows.release).toContain("gh pr create --base main");