fix: resolve repo rule violations in deploy workflows

claude · claude · commit 6f8b46d23277 · 2026-03-22T08:00:17.000Z
Deploy Dev's generate-types job failed because peter-evans/create-pull-request pushed unsigned commits, violating repo rulesets. Added sign-commits: true to use the GitHub API for signed commits, bypassing the restriction. Deploy Prod's generate-types job pushed directly to main via git push, violating branch protection rules requiring PRs and approvals. Replaced with peter-evans/create-pull-request (matching dev's pattern) with sign-commits: true, added pull-requests: write permission, and added a summary step. https://claude.ai/code/session_01Uhx2N3zWZNBTsgMQo7zajM
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -82,6 +82,7 @@ jobs:
             This PR updates `packages/db/types/database.ts` to reflect the latest dev schema.
           add-paths: packages/db/types/database.ts
           delete-branch: true
+          sign-commits: true
 
       - name: Summary
         run: |
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
@@ -124,6 +124,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -146,16 +147,27 @@ jobs:
           SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
           SUPABASE_DB_PASSWORD: ${{ secrets.SUPABASE_PROD_DB_PASSWORD }}
 
-      - name: Commit types if changed
+      - name: Create PR if types changed
+        uses: peter-evans/create-pull-request@v7
+        id: types-pr
+        with:
+          branch: chore/regenerate-prod-db-types
+          commit-message: "chore(db): regenerate prod database types"
+          title: "chore(db): regenerate prod database types"
+          body: |
+            Auto-generated by the **Deploy Prod** workflow after migrations were applied.
+
+            This PR updates `packages/db/types/database.ts` to reflect the latest production schema.
+          add-paths: packages/db/types/database.ts
+          delete-branch: true
+          sign-commits: true
+
+      - name: Summary
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add packages/db/types/database.ts
-          if git diff --cached --quiet; then
-            echo "No type changes detected"
+          if [ "${{ steps.types-pr.outputs.pull-request-number }}" ]; then
+            echo "### Types — PR [#${{ steps.types-pr.outputs.pull-request-number }}](${{ steps.types-pr.outputs.pull-request-url }}) created ✅" >> "$GITHUB_STEP_SUMMARY"
           else
-            git commit -m "chore(db): regenerate prod database types"
-            git push
+            echo "### Types — No changes ✅" >> "$GITHUB_STEP_SUMMARY"
           fi
 
   # ─── Smoke test: always runs (even if migration was skipped) ──
