ci(release): mint GitHub App installation token instead of RELEASE_TOKEN PAT#494
ci(release): mint GitHub App installation token instead of RELEASE_TOKEN PAT#494Nashon-Steffen wants to merge 1 commit intomainfrom
Conversation
…KEN PAT Replace the long-lived RELEASE_TOKEN PAT with a GitHub App installation token (via actions/create-github-app-token) for both create-release-pr.yml and create-release-tag.yml. The installation token is short-lived (1h), repository-scoped, and avoids the GITHUB_TOKEN limitation where downstream workflows do not fire. Refs: stacklok/toolhive#4835 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Nashon Steffen <nashon@stacklok.com>
peppescg
left a comment
peppescg
left a comment
There was a problem hiding this comment.
Thanks!
skip the grype and pnpm audit I will take care of it in a dedicated pr
There was a problem hiding this comment.
Pull request overview
Replaces the long-lived RELEASE_TOKEN PAT used by release automation with a short-lived GitHub App installation token, so release/tag events can still trigger downstream workflows while reducing credential risk.
Changes:
- Mint a GitHub App installation token via
actions/create-github-app-token@v3.1.1in the release PR workflow and pass it tostacklok/releaseo. - Mint and use the same GitHub App token in the release tag workflow for pushing tags and creating GitHub Releases (instead of a PAT).
- Update inline comments to reflect the new token strategy.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/create-release-tag.yml |
Generates a GitHub App token and uses it as GH_TOKEN for tag push + gh release create. |
.github/workflows/create-release-pr.yml |
Generates a GitHub App token and passes it to releaseo for creating the release PR. |
| # Create GitHub Release (triggers docker-publish.yml and releaser-helm-chart.yml) | ||
| # Note: Must use PAT (GH_TOKEN) because GITHUB_TOKEN cannot trigger other workflows | ||
| # Note: Uses a GitHub App installation token rather than GITHUB_TOKEN, | ||
| # because events from GITHUB_TOKEN cannot trigger downstream workflows. |
There was a problem hiding this comment.
The note here says the GitHub Release triggers downstream workflows, but earlier in this same file the header comment says the tag push triggers docker/helm workflows (via on: push: tags: ["v*"]). These comments contradict the actual setup (release-ui.yml triggers on release: published). Please update the surrounding documentation so it consistently reflects the real trigger path (Release published -> release-ui.yml -> workflow_call jobs).
Summary
RELEASE_TOKENPAT with a GitHub App installation token minted viaactions/create-github-app-token@v3.1.1increate-release-pr.ymlandcreate-release-tag.yml.GITHUB_TOKENcannot trigger downstream workflows (e.g.docker-publish.yml,releaser-helm-chart.yml).Pre-merge configuration (required)
The release workflows will fail until the following are configured on this repo:
stacklok/toolhive-cloud-uiwith repository permissions:contents: write(for the tag workflow)pull-requests: write(for the release PR workflow)RELEASE_APP_CLIENT_IDto the app's Client ID.RELEASE_APP_PRIVATE_KEYto the app's private key (PEM).Post-merge cleanup
RELEASE_TOKENrepository secret from repo settings.Test plan
stacklok/toolhive-cloud-uiwith required permissions.vars.RELEASE_APP_CLIENT_IDandsecrets.RELEASE_APP_PRIVATE_KEYare set on the repo.Create Release PR(patch bump) once viaworkflow_dispatchand confirm the PR is opened by the App actor.create-release-tag.ymlsucceeds, the tag is pushed, the GitHub Release is published, anddocker-publish.yml+releaser-helm-chart.ymlfire.RELEASE_TOKENrepo secret.Refs: stacklok/toolhive#4835
🤖 Generated with Claude Code