release: authenticate publish push with RELEASE_PAT

The default GITHUB_TOKEN / github-actions[bot] cannot be placed on a
branch ruleset's bypass list, so the publish job's direct push to
master would be rejected under branch protection. Check out with a
repo-admin PAT (RELEASE_PAT) instead — the admin is on the bypass
list, and actions/checkout persists the token so the commit+tag push
and the race-check fetch both use it. @oetiker

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5f63b9990478fb53737aaaa27ec83a0a13222d14..2eafc1169de392f84abaab36bd6c498c3cd99e4c 100644 (file)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -461,9 +461,16 @@ jobs:
     permissions:
       contents: write
     steps:
+      # RELEASE_PAT is a repo-admin Personal Access Token (Contents: write).
+      # The default GITHUB_TOKEN / github-actions[bot] cannot be added to the
+      # branch ruleset bypass list, so the release commit + tag push below is
+      # authenticated as the admin (who IS on the bypass list) via this PAT.
+      # actions/checkout persists the token in git config, so the later
+      # `git push` and `git fetch` steps use it automatically.
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          token: ${{ secrets.RELEASE_PAT }}
 
       - name: Race check (master not advanced since check-ci)
         env: