ci: use GitHub App token for release-please#12
Merged
Conversation
Replace the default GITHUB_TOKEN with a token minted from a GitHub App via actions/create-github-app-token. App tokens trigger workflows on PRs they open, so CI will now run on release-please PRs (which is required once branch protection enforces status checks on main). Requires repo-level configuration: - variable: RELEASE_PLEASE_APP_ID - secret: RELEASE_PLEASE_APP_PRIVATE_KEY Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the default
GITHUB_TOKENwith a token minted from a GitHub App viaactions/create-github-app-token.Why
PRs opened by the default
GITHUB_TOKENdo not trigger other workflows, so CI never runs on release-please PRs. Once branch protection enforces required status checks onmain, those release PRs would become unmergeable.App tokens are also strictly better than PATs: no expiration to babysit, not tied to a user account, fine-grained per-repo scoping, and auto-rotated by GitHub.
Required repo configuration before next release-please run
RELEASE_PLEASE_APP_ID(the App's numeric ID)RELEASE_PLEASE_APP_PRIVATE_KEY(full.pemcontents)The App needs Contents + Pull requests + Issues = read/write, installed on this repo only.
Related
A disabled branch ruleset (
main-protection, id 16976216) was created out-of-band requiringtest (3.11|3.12|3.13)checks. Enable it after verifying release-please works with the App token.