fix: finish app-id→client-id migration in workflow token passthroughs#323
Conversation
Completes Phase 2 of the create-github-app-token app-id→client-id migration (epic #308): - scan-for-todo-comments.yaml: pass client-id (vars.APP_CLIENT_ID) instead of the deprecated app-id (vars.APP_ID); the consumed create-issues-from-todos@v6.1.0 composite forwards client-id, so the upstream deprecation warning is gone. Behaviour-preserving (still mints the same App token via client-id + app-private-key). - run-dotnet-tests.yaml: drop the dead app-id/app-private-key passthrough and the now-unused required APP_PRIVATE_KEY workflow_call secret. The run-dotnet-tests@v6.1.0 composite no longer mints an App token (its token inputs were removed in actions#264); it authenticates to the GHCR NuGet feed with the automatic GITHUB_TOKEN. The composite already ignored these inputs, so this is behaviour-preserving and removes the 'unexpected input' warnings. - README: sync both workflows' Secrets/Inputs docs.
…ller The app-id→client-id migration (#308) removed the APP_PRIVATE_KEY workflow_call secret from run-dotnet-tests.yaml, but the in-repo test-run-dotnet-tests caller in ci.yaml still passed it. Passing a secret a reusable workflow no longer defines causes a workflow startup_failure, which left 'CI - Required Checks' unreported and the PR BLOCKED. Remove the stale passthrough; the composite already authenticates via GITHUB_TOKEN. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Root-caused the BLOCKED state and pushed a fix. After promotion this PR was BLOCKED because the required `CI - Required Checks` context never reported — the `🧪 CI` workflow run for the head commit ended in `startup_failure` ("workflow file issue"). Cause: this PR removed the `APP_PRIVATE_KEY` `workflow_call` secret from `run-dotnet-tests.yaml`, but the in-repo caller `ci.yaml` ( Fix (commit `69f6e6f`): dropped the stale `secrets:` passthrough from the |
|
🎉 This PR is included in version 5.6.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Completes Phase 2 of the
create-github-app-tokenapp-id→client-idmigration tracked in #308 (epic #305). Phase 1 (#309, the 5 direct-call workflows) and theactionscomposites (#264/#290) already merged; this updates the two passthrough workflows that forward to those composites — the last open item on #308.What & why
scan-for-todo-comments.yamlPasses
client-id: ${{ vars.APP_CLIENT_ID }}instead of the deprecatedapp-id: ${{ vars.APP_ID }}. The consumedcreate-issues-from-todos@v6.1.0composite acceptsclient-id(preferred) and forwards it toactions/create-github-app-token, so the upstream deprecation warning is eliminated. Behaviour-preserving — it still mints the same App token (now viaclient-id+app-private-key).vars.APP_CLIENT_IDis the same org variable Phase 1 already adopted.run-dotnet-tests.yamlDrops the dead
app-id/app-private-keypassthrough and the now-unused requiredAPP_PRIVATE_KEYworkflow_callsecret. Therun-dotnet-tests@v6.1.0composite no longer mints an App token — its token inputs were removed as dead inactions#264; it authenticates to the GHCR NuGet feed with the automaticGITHUB_TOKEN(packages: read). The composite already ignored these inputs at the pinnedv6.1.0, so this is behaviour-preserving (the runtime token was alreadyGITHUB_TOKEN) and removes the per-runUnexpected input(s) "app-id", "app-private-key"warnings.README
Synced both workflows' Usage + Secrets/Inputs sections (drop
APP_PRIVATE_KEYfromrun-dotnet-tests; documentAPP_CLIENT_IDforscan-for-todo-comments).Removing the required
APP_PRIVATE_KEYsecret fromrun-dotnet-tests.yaml'sworkflow_callinterface is technically a breaking change to that reusable workflow. Verified zero current consumers across the org (dotnet-template,wedding-app,ascoachingogvaner,ksail,platform,unifi,go-template— none callrun-dotnet-tests.yaml; only the README example references it), so practical impact is nil. Titledfix:for a patch release; promote with a major-bump title instead if you prefer to treat the interface removal as breaking.Validation
actionlintclean on both files (the pre-existingcode-qualitypermission-scope warning is actionlint version-skew on an untouched line, already present onmain).@v6.1.0tag:create-issues-from-todosacceptsclient-id;run-dotnet-testsdeclares onlygithub-token/working-directory.Closes #308.