From c49b881ab213b24f1e910d6c32e03801a1dabce5 Mon Sep 17 00:00:00 2001
From: bearomorphism <bearomorphism@users.noreply.github.com>
Date: Fri, 8 May 2026 16:20:44 +0800
Subject: [PATCH 1/3] docs(examples): gracefully handle no bump-eligible
 commits

Update both bump-release.yaml examples so that pushing only commits
which do not trigger a version bump (e.g. docs:, ci:, build(deps):)
does not fail the workflow with exit code 21.

The bump step now passes `--no-raise 21` to cz bump and detects
whether HEAD changed; if not, it sets `bumped=false` and exits 0.
Subsequent steps (changelog, release, trigger-other-workflow) are
guarded by `steps.bump-version.outputs.bumped == 'true'` so they
are skipped on no-op runs.

This mirrors the same pattern already used in commitizen's own
bumpversion.yml workflow (see commitizen-tools/commitizen#1950).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 examples/bump-release.yaml                       | 15 ++++++++++++++-
 .../.github/workflows/bump-release.yaml          | 16 +++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/examples/bump-release.yaml b/examples/bump-release.yaml
index cb8699c..4297dd8 100644
--- a/examples/bump-release.yaml
+++ b/examples/bump-release.yaml
@@ -22,18 +22,31 @@ jobs:
           python-version: "3.x"
       - id: bump-version
         run: |
-          cz bump --yes --annotated-tag
+          old_sha="$(git rev-parse HEAD)"
+          # Pass --no-raise 21 so that pushing only non-bump-eligible commits
+          # (e.g. docs:, ci:, build(deps):) does not fail the workflow.
+          cz bump --yes --annotated-tag --no-raise 21
+
+          if [ "$(git rev-parse HEAD)" = "$old_sha" ]; then
+            echo "No bump-eligible commits found, skipping release."
+            echo "bumped=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "bumped=true" >> $GITHUB_OUTPUT
           git push --follow-tags
           new_version="$(cz version -p)"
           echo "new_version=$new_version" >> $GITHUB_OUTPUT
           new_version_tag="$(cz version -p --tag)"
           echo "new_version_tag=$new_version_tag" >> $GITHUB_OUTPUT
       - name: Build changelog for Release
+        if: steps.bump-version.outputs.bumped == 'true'
         env:
           NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
           cz changelog --dry-run "${NEW_VERSION}" > .changelog.md
       - name: Release
+        if: steps.bump-version.outputs.bumped == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
           NEW_VERSION_TAG: ${{ steps.bump-version.outputs.new_version_tag }}
diff --git a/examples/trigger-other-job/.github/workflows/bump-release.yaml b/examples/trigger-other-job/.github/workflows/bump-release.yaml
index f6db9d6..c4604de 100644
--- a/examples/trigger-other-job/.github/workflows/bump-release.yaml
+++ b/examples/trigger-other-job/.github/workflows/bump-release.yaml
@@ -23,7 +23,18 @@ jobs:
       - id: bump-version
         run: |
           old_version="$(cz version -p)"
-          cz bump --yes --annotated-tag
+          old_sha="$(git rev-parse HEAD)"
+          # Pass --no-raise 21 so that pushing only non-bump-eligible commits
+          # (e.g. docs:, ci:, build(deps):) does not fail the workflow.
+          cz bump --yes --annotated-tag --no-raise 21
+
+          if [ "$(git rev-parse HEAD)" = "$old_sha" ]; then
+            echo "No bump-eligible commits found, skipping release."
+            echo "bumped=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "bumped=true" >> $GITHUB_OUTPUT
           git push --follow-tags
           new_version="$(cz version -p)"
           new_version_tag="$(cz version -p --tag)"
@@ -32,17 +43,20 @@ jobs:
           echo "new_version=$new_version" >> $GITHUB_OUTPUT
           echo "new_version_tag=$new_version_tag" >> $GITHUB_OUTPUT
       - name: Build changelog for Release
+        if: steps.bump-version.outputs.bumped == 'true'
         env:
           NEW_VERSION: ${{ steps.bump-version.outputs.new_version }}
         run: |
           cz changelog --dry-run "${NEW_VERSION}" > .changelog.md
       - name: Release
+        if: steps.bump-version.outputs.bumped == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
           NEW_VERSION_TAG: ${{ steps.bump-version.outputs.new_version_tag }}
         run: |
           gh release create "${NEW_VERSION_TAG}" --notes-file .changelog.md
       - name: trigger other workflow
+        if: steps.bump-version.outputs.bumped == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
         run: |

From 5f655617b376185b75eee9b9211fde69d9b0329e Mon Sep 17 00:00:00 2001
From: bearomorphism <bearomorphism@users.noreply.github.com>
Date: Fri, 8 May 2026 16:30:10 +0800
Subject: [PATCH 2/3] ci(test): skip test-trigger-other-job when token is
 read-only

The test-trigger-other-job job runs `gh workflow run`, which requires
`actions: write` on the GITHUB_TOKEN. The job has been failing on:

  - Fork PRs (e.g. contributor PRs from forks): fork-originated PRs
    always receive a read-only GITHUB_TOKEN.
  - Dependabot PRs (e.g. #15): even though dependabot creates branches
    in the same repo, the dependabot[bot] actor receives a restricted
    token by default.

Both produce:

    could not create workflow dispatch event: HTTP 403:
    Resource not accessible by integration

Skip this job in both cases by gating on `head.repo.full_name` and on
`github.actor`. The job continues to run on PRs from same-repo
branches authored by humans, where the token has the required
permissions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/test.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 811e217..9f94587 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -81,6 +81,14 @@ jobs:
             assert.ok(changelogContent.includes('### Fix'), 'Expected changelog to contain a header for fixes');
   test-trigger-other-job:
     runs-on: ubuntu-latest
+    # Skip when the token will be read-only and `gh workflow run` would
+    # fail with HTTP 403 ("Resource not accessible by integration"):
+    #   - Fork PRs: GITHUB_TOKEN is always read-only on fork-originated PRs.
+    #   - Dependabot PRs: even though the branch is in the same repo, the
+    #     dependabot[bot] actor receives a restricted token by default.
+    if: >-
+      github.event.pull_request.head.repo.full_name == github.repository &&
+      github.actor != 'dependabot[bot]'
     steps:
       - uses: actions/checkout@v6
         with:

From 11cde08751cf5c6840d30a1e2de4587382e1af47 Mon Sep 17 00:00:00 2001
From: Tim Hsiung <bear890707@gmail.com>
Date: Sat, 9 May 2026 14:10:10 +0800
Subject: [PATCH 3/3] fix(examples): place --no-raise before bump subcommand

`--no-raise` is a top-level commitizen option, so it must appear
before the `bump` subcommand. With it placed after, argparse treats
`--no-raise 21` as unknown trailing arguments and the CLI exits with
code 18 (`INVALID_COMMAND_ARGUMENT`):

    Invalid commitizen arguments were found: `--no-raise`.
    Please use -- separator for extra git args

This is what failed the bump workflow on commitizen-tools/commitizen
master in run 25542335831, which copy-pasted the same pattern from
these examples.

Move the option before `bump` in both examples and add a comment so
future readers do not repeat the mistake.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 examples/bump-release.yaml                                | 8 +++++---
 .../trigger-other-job/.github/workflows/bump-release.yaml | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/examples/bump-release.yaml b/examples/bump-release.yaml
index 4297dd8..06540d1 100644
--- a/examples/bump-release.yaml
+++ b/examples/bump-release.yaml
@@ -23,9 +23,11 @@ jobs:
       - id: bump-version
         run: |
           old_sha="$(git rev-parse HEAD)"
-          # Pass --no-raise 21 so that pushing only non-bump-eligible commits
-          # (e.g. docs:, ci:, build(deps):) does not fail the workflow.
-          cz bump --yes --annotated-tag --no-raise 21
+          # Pass `--no-raise 21` so that pushing only non-bump-eligible commits
+          # (e.g. docs:, ci:, build(deps):) does not fail the workflow. Note
+          # that `--no-raise` is a top-level option and must come before the
+          # `bump` subcommand. Exit code 21 is NO_COMMITS_TO_BUMP.
+          cz --no-raise 21 bump --yes --annotated-tag
 
           if [ "$(git rev-parse HEAD)" = "$old_sha" ]; then
             echo "No bump-eligible commits found, skipping release."
diff --git a/examples/trigger-other-job/.github/workflows/bump-release.yaml b/examples/trigger-other-job/.github/workflows/bump-release.yaml
index c4604de..2998cc2 100644
--- a/examples/trigger-other-job/.github/workflows/bump-release.yaml
+++ b/examples/trigger-other-job/.github/workflows/bump-release.yaml
@@ -24,9 +24,11 @@ jobs:
         run: |
           old_version="$(cz version -p)"
           old_sha="$(git rev-parse HEAD)"
-          # Pass --no-raise 21 so that pushing only non-bump-eligible commits
-          # (e.g. docs:, ci:, build(deps):) does not fail the workflow.
-          cz bump --yes --annotated-tag --no-raise 21
+          # Pass `--no-raise 21` so that pushing only non-bump-eligible commits
+          # (e.g. docs:, ci:, build(deps):) does not fail the workflow. Note
+          # that `--no-raise` is a top-level option and must come before the
+          # `bump` subcommand. Exit code 21 is NO_COMMITS_TO_BUMP.
+          cz --no-raise 21 bump --yes --annotated-tag
 
           if [ "$(git rev-parse HEAD)" = "$old_sha" ]; then
             echo "No bump-eligible commits found, skipping release."