Skip to content

fix: finish app-id→client-id migration in workflow token passthroughs#323

Merged
botantler-1[bot] merged 2 commits into
mainfrom
claude/ci-finish-client-id-migration
Jun 17, 2026
Merged

fix: finish app-id→client-id migration in workflow token passthroughs#323
botantler-1[bot] merged 2 commits into
mainfrom
claude/ci-finish-client-id-migration

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Completes Phase 2 of the create-github-app-token app-idclient-id migration tracked in #308 (epic #305). Phase 1 (#309, the 5 direct-call workflows) and the actions composites (#264/#290) already merged; this updates the two passthrough workflows that forward to those composites — the last open item on #308.

What & why

scan-for-todo-comments.yaml

Passes client-id: ${{ vars.APP_CLIENT_ID }} instead of the deprecated app-id: ${{ vars.APP_ID }}. The consumed create-issues-from-todos@v6.1.0 composite accepts client-id (preferred) and forwards it to actions/create-github-app-token, so the upstream deprecation warning is eliminated. Behaviour-preserving — it still mints the same App token (now via client-id + app-private-key). vars.APP_CLIENT_ID is the same org variable Phase 1 already adopted.

run-dotnet-tests.yaml

Drops the dead app-id/app-private-key passthrough and the now-unused required APP_PRIVATE_KEY workflow_call secret. The run-dotnet-tests@v6.1.0 composite no longer mints an App token — its token inputs were removed as dead in actions#264; it authenticates to the GHCR NuGet feed with the automatic GITHUB_TOKEN (packages: read). The composite already ignored these inputs at the pinned v6.1.0, so this is behaviour-preserving (the runtime token was already GITHUB_TOKEN) and removes the per-run Unexpected input(s) "app-id", "app-private-key" warnings.

README

Synced both workflows' Usage + Secrets/Inputs sections (drop APP_PRIVATE_KEY from run-dotnet-tests; document APP_CLIENT_ID for scan-for-todo-comments).

⚠️ Interface change (flagged)

Removing the required APP_PRIVATE_KEY secret from run-dotnet-tests.yaml's workflow_call interface is technically a breaking change to that reusable workflow. Verified zero current consumers across the org (dotnet-template, wedding-app, ascoachingogvaner, ksail, platform, unifi, go-template — none call run-dotnet-tests.yaml; only the README example references it), so practical impact is nil. Titled fix: for a patch release; promote with a major-bump title instead if you prefer to treat the interface removal as breaking.

Validation

  • actionlint clean on both files (the pre-existing code-quality permission-scope warning is actionlint version-skew on an untouched line, already present on main).
  • Composite input contracts verified at the consumed @v6.1.0 tag: create-issues-from-todos accepts client-id; run-dotnet-tests declares only github-token/working-directory.

Closes #308.

Completes Phase 2 of the create-github-app-token app-id→client-id
migration (epic #308):

- scan-for-todo-comments.yaml: pass client-id (vars.APP_CLIENT_ID)
  instead of the deprecated app-id (vars.APP_ID); the consumed
  create-issues-from-todos@v6.1.0 composite forwards client-id, so the
  upstream deprecation warning is gone. Behaviour-preserving (still mints
  the same App token via client-id + app-private-key).
- run-dotnet-tests.yaml: drop the dead app-id/app-private-key passthrough
  and the now-unused required APP_PRIVATE_KEY workflow_call secret. The
  run-dotnet-tests@v6.1.0 composite no longer mints an App token (its
  token inputs were removed in actions#264); it authenticates to the GHCR
  NuGet feed with the automatic GITHUB_TOKEN. The composite already
  ignored these inputs, so this is behaviour-preserving and removes the
  'unexpected input' warnings.
- README: sync both workflows' Secrets/Inputs docs.
@devantler devantler marked this pull request as ready for review June 17, 2026 09:22
…ller

The app-id→client-id migration (#308) removed the APP_PRIVATE_KEY
workflow_call secret from run-dotnet-tests.yaml, but the in-repo
test-run-dotnet-tests caller in ci.yaml still passed it. Passing a
secret a reusable workflow no longer defines causes a workflow
startup_failure, which left 'CI - Required Checks' unreported and the
PR BLOCKED. Remove the stale passthrough; the composite already
authenticates via GITHUB_TOKEN.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@botantler-1 botantler-1 Bot enabled auto-merge (squash) June 17, 2026 10:19
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Root-caused the BLOCKED state and pushed a fix. After promotion this PR was BLOCKED because the required `CI - Required Checks` context never reported — the `🧪 CI` workflow run for the head commit ended in `startup_failure` ("workflow file issue").

Cause: this PR removed the `APP_PRIVATE_KEY` `workflow_call` secret from `run-dotnet-tests.yaml`, but the in-repo caller `ci.yaml` (test-run-dotnet-tests job) still passed `secrets.APP_PRIVATE_KEY` to it. Passing a secret a reusable workflow no longer defines is a startup-time error, so the whole CI workflow failed to start and the aggregator job (if: always()) never produced its check.

Fix (commit `69f6e6f`): dropped the stale `secrets:` passthrough from the test-run-dotnet-tests caller — the composite already authenticates via `GITHUB_TOKEN`. `actionlint` now reports only the pre-existing `code-quality` permission-scope version-skew warnings (untouched lines). CI should now start cleanly and report `CI - Required Checks`; once green this is ready to merge.

@botantler-1 botantler-1 Bot merged commit d87d78b into main Jun 17, 2026
52 checks passed
@botantler-1 botantler-1 Bot deleted the claude/ci-finish-client-id-migration branch June 17, 2026 10:25
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jun 17, 2026
@botantler-1

botantler-1 Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 5.6.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

ci: migrate create-github-app-token app-id → client-id (deprecated input)

1 participant