ci: repoint release lane dispatch to AWS (devexp-argocd-apps)

[rrabenda]

Repoints release-from-main.yml's post-build dispatch from the GCP workload repo to the AWS release lane in genlayerlabs/devexp-argocd-apps.

• trigger-workload-release-lane now mints a token from the release-lane GitHub App (actions/create-github-app-token@v3, scoped to devexp-argocd-apps) instead of the shared CI bot via tibdex/github-app-token.
• Dispatch switched to repository_dispatch (event_type=release-backend); was a workflow_dispatch against the GCP release-studio-backend-start.yml.

Part of the dev+stg→AWS cutover: AWS owns dev/stg/rally-prd-tier and fans out to GCP for true-prd.

Requires repo var RELEASE_LANE_APP_CLIENT_ID + secret RELEASE_LANE_APP_KEY and the release-lane App installed on this repo.

Summary by CodeRabbit

• Chores
  • Updated release deployment workflow configuration to enhance the efficiency and security of the automated release process.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release-from-main workflow is updated to dispatch release events to an external devexp-argocd-apps repository via GitHub App authentication. Token generation now uses actions/create-github-app-token with dedicated release-lane credentials, and the dispatch mechanism shifts from workflow API to repository dispatch with backend image digest payloads.

Changes

Release dispatch to AWS release lane

Layer / File(s)	Summary
GitHub App token authentication for devexp-argocd-apps .github/workflows/release-from-main.yml	Token generation step replaced to use actions/create-github-app-token with RELEASE_LANE_APP_CLIENT_ID and RELEASE_LANE_APP_KEY credentials scoped to the devexp-argocd-apps repository.
Repository dispatch to AWS release lane with image digests .github/workflows/release-from-main.yml	Dispatch mechanism changed from workflow dispatch endpoint to repository_dispatch API call targeting devexp-argocd-apps with event_type: "release-backend" and client_payload containing backend image digests. Step name updated to "Trigger AWS Release Lane".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• genlayerlabs/genlayer-studio#1425: Both PRs modify the same .github/workflows/release-from-main.yml to authenticate as a GitHub App, resolve/pin Docker image digests, and then dispatch a downstream release lane/workflow based on those digest inputs.
• genlayerlabs/genlayer-studio#1495: Both PRs update the same .github/workflows/release-from-main.yml to replace the prior curl/workflow-dispatch triggering with a repository_dispatch call that sends an event_type like release-backend plus image digests via client_payload.
• genlayerlabs/genlayer-studio#1426: Both PRs modify .github/workflows/release-from-main.yml to resolve backend Docker image digests and include them in the release dispatch payload (e.g., consensus/worker digest handling), so the changes are tightly connected at the workflow/dispatch level.

Suggested labels

released

Suggested reviewers

• cristiam86

Poem

🐰 From workload lanes to AWS we go,
With GitHub App tokens and digests in tow,
Repository dispatch sends backend with pride,
The release pipeline's on the right side!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers key changes and context, but is missing several required template sections including explicit 'What/Why/Testing done/Decisions made' structure and testing verification.	Restructure the description to follow the template with explicit 'What', 'Why', 'Testing done' sections and complete the 'Checks' checklist to provide clear documentation for reviewers.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: repointing release dispatch to AWS in the devexp-argocd-apps repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/repoint-release-dispatch-to-aws

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-from-main.yml:
- Line 57: The workflow step "Get release-lane token" currently uses the moving
tag actions/create-github-app-token@v3; update that uses line to a full commit
SHA (replace actions/create-github-app-token@v3 with
actions/create-github-app-token@<full-commit-sha>) and do the same for other
unpinned actions found (actions/checkout@v6, actions/setup-node@v6,
docker/setup-buildx-action@v3) by locating their use lines and replacing the
semver tags with the exact commit SHAs from each action repository so the
workflow is fully pinned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6519cb69-3fe3-4457-a9b5-e581b51298ae

📥 Commits

Reviewing files that changed from the base of the PR and between 57e9251 and 9027c90.

📒 Files selected for processing (1)

• .github/workflows/release-from-main.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release-from-main.yml"
echo "== File = $FILE =="
echo
nl -ba "$FILE" | sed -n '40,90p'
echo
echo "== All uses: lines in file =="
rg -n "^\s*uses:\s*" "$FILE" || true

Repository: genlayerlabs/genlayer-studio

Length of output: 187

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release-from-main.yml"
echo "== File = $FILE =="
echo
if command -v awk >/dev/null 2>&1; then
  awk 'NR>=40 && NR<=90{printf "%d\t%s\n", NR, $0}' "$FILE"
else
  echo "awk not available"
  exit 1
fi

echo
echo "== All uses: occurrences in file =="
rg -n "^\s*uses:\s*" "$FILE" || true

Repository: genlayerlabs/genlayer-studio

Length of output: 2425

---

Pin actions/create-github-app-token to a full commit SHA.

• .github/workflows/release-from-main.yml uses actions/create-github-app-token@v3 in Get release-lane token, which is an unpinned moving tag (unpinned-uses).
• This workflow also has other unpinned action tags (actions/checkout@v6, actions/setup-node@v6, docker/setup-buildx-action@v3), which may be subject to the same policy.

🧰 Tools

🪛 actionlint (1.7.12)

[error] 57-57: missing input "app-id" which is required by action "actions/create-github-app-token@v3". all required inputs are "app-id", "private-key"

(action)

🪛 zizmor (1.25.2)

[error] 57-57: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 57-57: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-from-main.yml at line 57, The workflow step "Get
release-lane token" currently uses the moving tag
actions/create-github-app-token@v3; update that uses line to a full commit SHA
(replace actions/create-github-app-token@v3 with
actions/create-github-app-token@<full-commit-sha>) and do the same for other
unpinned actions found (actions/checkout@v6, actions/setup-node@v6,
docker/setup-buildx-action@v3) by locating their use lines and replacing the
semver tags with the exact commit SHAs from each action repository so the
workflow is fully pinned.

[github-actions]

🎉 This PR is included in version 0.121.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀