From 29069f4033be73e8f1e9ca1f1c592fca74993879 Mon Sep 17 00:00:00 2001
From: "Joseph T. French" <joey@harbinger.finance>
Date: Mon, 2 Feb 2026 17:42:17 -0600
Subject: [PATCH 1/2] Update create-release.yml to require ACTIONS_TOKEN for
 pushing to protected branches

## Summary
This commit modifies the GitHub Actions workflow in `create-release.yml` to explicitly require the `ACTIONS_TOKEN` for pushing changes to the protected main branch, enhancing security and ensuring proper authentication.

## Key Changes
- Added a token configuration line to utilize `ACTIONS_TOKEN` or fallback to `github.token` for secure operations.

## Infrastructure Considerations
This change improves the security of the release process by ensuring that only authenticated actions can push to the main branch, aligning with best practices for CI/CD workflows.
---
 .github/workflows/create-release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 0547b90..c64ad5d 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -26,6 +26,8 @@ jobs:
         with:
           ref: main
           fetch-depth: 0
+          # ACTIONS_TOKEN required to push to protected main branch
+          token: ${{ secrets.ACTIONS_TOKEN || github.token }}
 
       - name: Setup Python
         uses: actions/setup-python@v5

From c840f2fd109704ab578a5bca7d8ab476876db1bb Mon Sep 17 00:00:00 2001
From: "Joseph T. French" <joey@harbinger.finance>
Date: Mon, 2 Feb 2026 17:44:22 -0600
Subject: [PATCH 2/2] Update tag-release.yml to require ACTIONS_TOKEN for
 pushing to protected repositories

This commit modifies the GitHub Actions workflow in `tag-release.yml` to utilize `ACTIONS_TOKEN` for pushing tags to protected repositories, enhancing security by ensuring proper authentication. The configuration now falls back to `github.token` if `ACTIONS_TOKEN` is not set, maintaining functionality while improving security compliance.
---
 .github/workflows/tag-release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
index 4fd8aab..b559ef8 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -36,7 +36,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ inputs.branch_ref }}
-          token: ${{ github.token }}
+          # ACTIONS_TOKEN required to push tags to protected repo
+          token: ${{ secrets.ACTIONS_TOKEN || github.token }}
           fetch-depth: 0
 
       - name: Get Version from pyproject.toml
@@ -256,7 +257,8 @@ jobs:
           draft: false
           prerelease: false
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          # ACTIONS_TOKEN preferred for release creation
+          GITHUB_TOKEN: ${{ secrets.ACTIONS_TOKEN || github.token }}
 
       - name: Create release summary
         if: steps.check-tag.outputs.tag_exists == 'false'