Skip to content

feat(release): support GitHub App token for branch-protection bypass#16

Merged
taprile314 merged 1 commit into
mainfrom
feat/release-app-token-bypass
Apr 29, 2026
Merged

feat(release): support GitHub App token for branch-protection bypass#16
taprile314 merged 1 commit into
mainfrom
feat/release-app-token-bypass

Conversation

@taprile314

Copy link
Copy Markdown
Member

Summary

  • Adds two optional secrets to release.ymlRELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY. When set, the job mints a short-lived GitHub App installation token via actions/create-github-app-token@v1 and uses it as GITHUB_TOKEN for semantic-release.
  • Falls back to the built-in GITHUB_TOKEN when the secrets are absent — fully backwards compatible for existing consumers.
  • Documents the setup in docs/secrets.md and adds a troubleshooting entry in docs/troubleshooting.md for the GH013 error.

Why

@semantic-release/git (in the default extra-plugins set) tries to push the version-bump + CHANGELOG commit back to main. The built-in GITHUB_TOKEN cannot bypass org-level rulesets that require PRs, so the release job fails with GH013: Repository rule violations found on any repo where main is protected. This currently breaks releases on feature-engine (and will break any new consumer with the same protection).

Reintroducing a PAT was rejected because the project moved off PATs to keep Dependabot CI working with GITHUB_TOKEN. A GitHub App token sidesteps that — the token only exists during the release job (which runs on push: main, never on Dependabot PRs), and lives ~1h instead of forever.

Test plan

  • CI on this PR is green.
  • After merge + release-please cuts the new minor, point feature-engine at the new tag (@v1 will move automatically) and re-run its release workflow with RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY set. Verify the version-bump commit lands on main and the GitHub Release is published.
  • Confirm a consumer without the secrets (e.g. a repo using only ci.yml / deploy.yml) is unaffected — fallback to built-in token preserves prior behavior.

Notes

  • This is an additive change (required: false on both new secrets, default-preserving fallback) so it stays on the v1.x line.
  • Setup walkthrough lives in docs/secrets.md → Release bypass with a GitHub App.
  • Pending org-level work to actually use this on feature-engine: an org owner (@beogip or leozakour) needs to add the Refokus Release Bot GitHub App to the bypass list of the org-level main ruleset. Tracked outside this PR.

Adds optional RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets to the
release reusable. When present, the job mints a short-lived installation
token via actions/create-github-app-token and uses it as GITHUB_TOKEN for
semantic-release. Falls back to the built-in GITHUB_TOKEN when absent, so
existing consumers without branch protection are unaffected.

Unblocks @semantic-release/git pushes on repos whose `main` is protected
by a "PRs required" ruleset (GH013) without reintroducing a long-lived
PAT — the App token only exists during the release job, which runs on
push:main and is never reached by Dependabot PRs.
@taprile314

taprile314 commented Apr 28, 2026

Copy link
Copy Markdown
Member Author

Warning

Blocked — do not merge yet.

This PR cannot be validated end-to-end until the Refokus Release Bot GitHub App is added to the bypass list of the org-level main ruleset). Without that step, even with the secrets set on the consumer repo, the App token still gets rejected by the ruleset.

Action required from an org owner: add the Refokus Release Bot app to the ruleset's bypass list, mode "Always".

Once that's done, the test plan above can be executed against feature-engine and this PR can be merged.

@taprile314 taprile314 marked this pull request as draft April 28, 2026 17:54
@taprile314

Copy link
Copy Markdown
Member Author

ready to merge

@taprile314 taprile314 marked this pull request as ready for review April 29, 2026 14:55
@taprile314 taprile314 merged commit 6198c74 into main Apr 29, 2026
1 check was pending
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant