feat(release): support GitHub App token for branch-protection bypass#16
Merged
Conversation
Adds optional RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets to the release reusable. When present, the job mints a short-lived installation token via actions/create-github-app-token and uses it as GITHUB_TOKEN for semantic-release. Falls back to the built-in GITHUB_TOKEN when absent, so existing consumers without branch protection are unaffected. Unblocks @semantic-release/git pushes on repos whose `main` is protected by a "PRs required" ruleset (GH013) without reintroducing a long-lived PAT — the App token only exists during the release job, which runs on push:main and is never reached by Dependabot PRs.
Member
Author
|
Warning Blocked — do not merge yet. This PR cannot be validated end-to-end until the Action required from an org owner: add the Once that's done, the test plan above can be executed against |
Member
Author
|
ready to merge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release.yml—RELEASE_APP_IDandRELEASE_APP_PRIVATE_KEY. When set, the job mints a short-lived GitHub App installation token viaactions/create-github-app-token@v1and uses it asGITHUB_TOKENforsemantic-release.GITHUB_TOKENwhen the secrets are absent — fully backwards compatible for existing consumers.docs/secrets.mdand adds a troubleshooting entry indocs/troubleshooting.mdfor theGH013error.Why
@semantic-release/git(in the defaultextra-pluginsset) tries to push the version-bump + CHANGELOG commit back tomain. The built-inGITHUB_TOKENcannot bypass org-level rulesets that require PRs, so the release job fails withGH013: Repository rule violations foundon any repo wheremainis protected. This currently breaks releases onfeature-engine(and will break any new consumer with the same protection).Reintroducing a PAT was rejected because the project moved off PATs to keep Dependabot CI working with
GITHUB_TOKEN. A GitHub App token sidesteps that — the token only exists during the release job (which runs onpush: main, never on Dependabot PRs), and lives ~1h instead of forever.Test plan
feature-engineat the new tag (@v1will move automatically) and re-run its release workflow withRELEASE_APP_ID/RELEASE_APP_PRIVATE_KEYset. Verify the version-bump commit lands onmainand the GitHub Release is published.ci.yml/deploy.yml) is unaffected — fallback to built-in token preserves prior behavior.Notes
required: falseon both new secrets, default-preserving fallback) so it stays on the v1.x line.feature-engine: an org owner (@beogiporleozakour) needs to add theRefokus Release BotGitHub App to the bypass list of the org-levelmainruleset. Tracked outside this PR.