Context
The GitHub App currently named "DevSecNinja Release Please" (App ID 3563533) is no longer release-please-specific. Its actual job is generic: open PRs under branch protection so required CI fires (PRs opened with GITHUB_TOKEN don't trigger workflow runs, by GitHub design; an App identity does).
It's already reused beyond release-please:
So the RELEASE_PLEASE_APP_ID variable and RELEASE_PLEASE_APP_PRIVATE_KEY secret names are misleading — they describe one consumer of a general-purpose identity.
Proposed change
Rename the App and its credentials to something that reflects the broader responsibility, e.g.:
- App:
DevSecNinja Automation (or DevSecNinja CI Bot)
- Variable:
AUTOMATION_APP_ID
- Secret:
AUTOMATION_APP_PRIVATE_KEY
Migration considerations (why this is deferred, not done now)
This is a coordinated, multi-repo change — hence a tracking issue rather than bundling it into #195:
- Add new var/secret first with the same App credentials (App ID + private key are unchanged — only the GitHub-side variable/secret names change), to every repo that has them.
- Update all callers to reference the new names:
release-please-caller.yml, apm-sync-caller.yml, and the reusable workflows' input docs/examples (release-please.yml, apm-sync.yml).
- Update docs:
docs/release-please-onboarding.md, docs/apm-sync-onboarding.md.
- Optionally rename the App display name in the App settings (cosmetic; doesn't affect the App ID or tokens).
- Remove the old
RELEASE_PLEASE_APP_* var/secret once nothing references them.
Keep both names working during the transition (callers can fall back) to avoid a flag-day break.
Acceptance criteria
References
Context
The GitHub App currently named "DevSecNinja Release Please" (App ID
3563533) is no longer release-please-specific. Its actual job is generic: open PRs under branch protection so required CI fires (PRs opened withGITHUB_TOKENdon't trigger workflow runs, by GitHub design; an App identity does).It's already reused beyond release-please:
release-please.yml(original use)apm-sync.ymlreusable + theapm-sync-caller.ymlconsumer (feat(apm): activate apm-sync on the .github consumer #195)open-pr, autofix, etc.)So the
RELEASE_PLEASE_APP_IDvariable andRELEASE_PLEASE_APP_PRIVATE_KEYsecret names are misleading — they describe one consumer of a general-purpose identity.Proposed change
Rename the App and its credentials to something that reflects the broader responsibility, e.g.:
DevSecNinja Automation(orDevSecNinja CI Bot)AUTOMATION_APP_IDAUTOMATION_APP_PRIVATE_KEYMigration considerations (why this is deferred, not done now)
This is a coordinated, multi-repo change — hence a tracking issue rather than bundling it into #195:
release-please-caller.yml,apm-sync-caller.yml, and the reusable workflows' input docs/examples (release-please.yml,apm-sync.yml).docs/release-please-onboarding.md,docs/apm-sync-onboarding.md.RELEASE_PLEASE_APP_*var/secret once nothing references them.Keep both names working during the transition (callers can fall back) to avoid a flag-day break.
Acceptance criteria
RELEASE_PLEASE_APP_*names removed after migrationReferences
docs/apm-sync-onboarding.mdalready recommends reusing the release-please App credentials for apm-sync