From 84cd8c15c7976ffaff8c9c7517fa6f3a9ad582a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=85=8E=E9=A5=BC=E6=9E=9C=E5=AD=90=E5=8D=B7=E9=B2=A8?=
 =?UTF-8?q?=E9=B1=BC=E8=BE=A3=E6=A4=92?= <yuaotian1998@163.com>
Date: Mon, 30 Dec 2024 18:48:49 +0800
Subject: [PATCH] chore: update GitHub Actions workflows for improved tagging
 and release process

- Changed GITHUB_TOKEN reference in auto-tag.yml to use the standard token for better security.
- Added debug steps in both workflows to enhance visibility into the release process and check permissions.
- Updated permissions in release.yml to explicitly define required access levels for contents, packages, and actions.
- Refined the conditional execution for the release job to ensure it only runs when a valid version is generated.
---
 .github/workflows/auto-tag.yml | 20 +++++++++++++++++---
 .github/workflows/release.yml  | 22 +++++++++++++++++++++-
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 3857d71..d9a214c 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -64,7 +64,7 @@ jobs:
 
       - name: Create new tag
         env:
-          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           new_tag=${{ steps.get_latest_tag.outputs.version }}
           git config --global user.name 'github-actions[bot]'
@@ -90,13 +90,27 @@ jobs:
           echo "---"
           echo "Direct version value: ${{ steps.get_latest_tag.outputs.version }}"
 
+      - name: Debug Release Trigger
+        run: |
+          echo "Auto-tag completed successfully"
+          echo "Version to be released: ${{ steps.get_latest_tag.outputs.version }}"
+          echo "Checking release conditions:"
+          echo "  - Version not empty: ${{ steps.get_latest_tag.outputs.version != '' }}"
+          echo "  - Current job status: ${{ job.status }}"
+
   release:
     needs: auto-tag
+    permissions:
+      contents: write
+      packages: write
+      actions: write
     if: |
-      always() &&
       needs.auto-tag.result == 'success' &&
       needs.auto-tag.outputs.version != ''
     uses: ./.github/workflows/release.yml
     with:
       version: ${{ needs.auto-tag.outputs.version }}
-    secrets: inherit
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4ba69df..5a346ee 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,10 @@ on:
     tags:
       - "v*"
 
-permissions: write-all
+permissions:
+  contents: write
+  packages: write
+  actions: write
 
 jobs:
   goreleaser:
@@ -29,6 +32,23 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 15
     steps:
+      - name: Check Permissions
+        run: |
+          echo "Checking required permissions..."
+          TOKEN="${{ secrets.RELEASE_TOKEN }}"
+          if [ -z "$TOKEN" ]; then
+            echo "::error::RELEASE_TOKEN is not set"
+            exit 1
+          fi
+          echo "Token permissions check passed"
+
+      - name: Debug Workflow Trigger
+        run: |
+          echo "Event name: ${{ github.event_name }}"
+          echo "Ref: ${{ github.ref }}"
+          echo "Version input: ${{ inputs.version }}"
+          echo "Token exists: ${{ secrets.RELEASE_TOKEN != '' }}"
+
       - name: Checkout
         uses: actions/checkout@v3
         with: