fix(release): develop to main

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @this-branch or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

• Chores
  • Updated GitHub workflow action dependencies to use newer versions of the GitHub App token generation action across multiple workflows.
  • Updated service deployment configuration to enable broader availability across additional deployment clusters.

[coderabbitai]

Walkthrough

This PR contains two independent updates: a pinned dependency bump of actions/create-github-app-token from v3.1.1 to v3.2.0 across seven workflows, and registration of lerian-notification in the deployment matrix for three clusters with removal of the prior development-only qualifier.

Changes

GitHub App Token Action Update

Layer / File(s)	Summary
Update actions/create-github-app-token to v3.2.0 .github/workflows/backmerge.yml, gptchangelog.yml, helm-update-chart.yml, helm-upgrade-doc.yml, release-notification.yml, release.yml, typescript-release.yml	Pinned commit SHA for actions/create-github-app-token bumped from v3.1.1 to v3.2.0 in all token generation steps without altering step inputs or workflow logic.

Deployment Matrix Configuration

Layer / File(s)	Summary
Register lerian-notification in deployment matrix config/deployment-matrix.yml	lerian-notification is added to global apps.registry (removing prior "firmino-dev only today" note) and mapped to clotilde, anacleto, and benedita clusters.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• LerianStudio/github-actions-shared-workflows#382: Identical dependency and deployment-matrix changes in the same files.
• LerianStudio/github-actions-shared-workflows#373: Prior registration of lerian-notification in apps.registry in the same configuration file.
• LerianStudio/github-actions-shared-workflows#375: Related updates to cluster-to-app mappings in config/deployment-matrix.yml for different apps.

Suggested labels

workflow, dependencies, deployment-matrix, size/XS

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Description is incomplete; the 'Description' section summarizing what the PR does and which workflows are affected is empty, and no caller repo/workflow run link is provided despite testing being marked complete.	Fill in the Description section explaining the action version bump across six workflows and the deployment-matrix.yml changes. Add the caller repo/workflow run link to validate the testing claim.
Title check	❓ Inconclusive	Title is vague and does not describe the actual changes; 'develop to main' suggests a merge operation rather than the dependency bumps and config updates present in the changeset.	Use a more descriptive title reflecting the primary changes, such as 'chore: bump actions/create-github-app-token to v3.2.0 and update deployment matrix' or 'chore(deps): update GitHub App token action and deployment config'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🔍 PR Validation Summary

✅ PR Mergeable — no blocking failures

Check	Status	Blocking
Source Branch	✅ success	yes
PR Title	✅ success	yes
PR Description	✅ success	yes
PR Size	✅ success	no
Auto Labels	✅ success	no
PR Metadata	✅ success	no

---

_{🔍 View workflow run}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	8 file(s)	✅ success
Action Lint	7 file(s)	✅ success
Pinned Actions	7 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	8 file(s)	✅ success
Shell Check	7 file(s)	✅ success
README Check	7 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped
Deployment Matrix	1 file(s)	✅ success

⚠️ Warnings (3)

Pinned Actions

.github

• .github (line 107) — Found 2 internal action(s) not pinned to a version. Consider pinning to vX.Y.Z.

.github/workflows/release-notification.yml

• .github/workflows/release-notification.yml (line 180) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/notify/slack-release@v1.18.0
• .github/workflows/release-notification.yml (line 168) — Internal composite must use floating major tag (e.g. @v1) or develop/main for testing: uses: LerianStudio/github-actions-shared-workflows/src/notify/discord-release@v1.18.0

---

_{🔍 View full scan logs}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/backmerge.yml (1)

145-149: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope GitHub App token permissions to least privilege in .github/workflows/backmerge.yml
actions/create-github-app-token with no permission-* inputs will issue a token inheriting all permissions granted to the GitHub App installation; set explicit permission-* values (and keep repositories/owner explicit if desired) to match only what the backmerge job needs, and apply the same least-privilege scoping to any other workflows that create the same kind of token in this PR.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/backmerge.yml around lines 145 - 149, The workflow
currently creates a GitHub App token via the actions/create-github-app-token
step with id "app-token" but does not declare any permission-* inputs, so the
token inherits all installation permissions; update the "app-token" step to add
explicit permission-* inputs (e.g., permission-contents,
permission-pull-requests, permission-issues, etc.) that exactly match what the
backmerge job needs and set repositories/owner inputs if applicable to restrict
scope, ensuring you choose the least-privilege set for this job and replicate
the same scoping in any other workflow steps that create the same token.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/deployment-matrix.yml`:
- Line 109: The deployment matrix has inconsistent ordering for the service name
lerian-notification across clusters; to fix it, open the
config/deployment-matrix.yml and move the lerian-notification entry in the
Clotilde, Anacleto and Benedita cluster lists so it sits directly after the
product-console entry (matching Firmino’s ordering), ensuring each cluster’s app
list preserves the same relative position for lerian-notification as in Firmino.

---

Outside diff comments:
In @.github/workflows/backmerge.yml:
- Around line 145-149: The workflow currently creates a GitHub App token via the
actions/create-github-app-token step with id "app-token" but does not declare
any permission-* inputs, so the token inherits all installation permissions;
update the "app-token" step to add explicit permission-* inputs (e.g.,
permission-contents, permission-pull-requests, permission-issues, etc.) that
exactly match what the backmerge job needs and set repositories/owner inputs if
applicable to restrict scope, ensuring you choose the least-privilege set for
this job and replicate the same scoping in any other workflow steps that create
the same token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6958b345-d88e-4c91-bfb0-cd8f0216c63f

📥 Commits

Reviewing files that changed from the base of the PR and between 94b8b32 and be68840.

📒 Files selected for processing (8)

• .github/workflows/backmerge.yml
• .github/workflows/gptchangelog.yml
• .github/workflows/helm-update-chart.yml
• .github/workflows/helm-upgrade-doc.yml
• .github/workflows/release-notification.yml
• .github/workflows/release.yml
• .github/workflows/typescript-release.yml
• config/deployment-matrix.yml