Skip to content

chore(release): use GitHub App token instead of PAT#200

Merged
k-chrispens merged 1 commit intomainfrom
chore/release-app-token
Apr 3, 2026
Merged

chore(release): use GitHub App token instead of PAT#200
k-chrispens merged 1 commit intomainfrom
chore/release-app-token

Conversation

@saada
Copy link
Copy Markdown
Contributor

@saada saada commented Apr 2, 2026
edited by coderabbitai Bot
Loading

Summary

  • Replace RELEASE_TOKEN PAT with dedicated diffuse-semantic-release GitHub App via actions/create-github-app-token
  • Branch ruleset already updated: admin bypass removed, only the app can push to main

Test plan

  • Merge this PR and verify the release workflow runs successfully on main
  • Verify admins can no longer push directly to main
  • Remove old RELEASE_TOKEN secret after confirming

Summary by CodeRabbit

  • Chores
    • Release workflow now uses a dynamically generated GitHub App installation token instead of a static token, improving security and automation for releases.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 2, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b24f4787-be13-4761-8f00-5a9688fe20f2

📥 Commits

Reviewing files that changed from the base of the PR and between 45a0543 and fd3e07a.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

Replaces a static RELEASE_TOKEN secret with a generated GitHub App installation token. Adds a step using actions/create-github-app-token@v2 (driven by SEMANTIC_RELEASE_APP_ID and SEMANTIC_RELEASE_APP_PRIVATE_KEY) and passes steps.app-token.outputs.token to checkout and semantic-release actions.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Authentication
.github/workflows/release.yml		 Added Generate App Token step using actions/create-github-app-token@v2 that creates steps.app-token.outputs.token. Replaced uses of secrets.RELEASE_TOKEN with the generated token for actions/checkout, python-semantic-release, and python-semantic-release/publish-action.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Maintainer
    participant Secrets as "Repo Secrets"
    participant TokenAction as "create-github-app-token@v2\n(Generate App Token)"
    participant Workflow as "GitHub Actions Workflow"
    participant Checkout as "actions/checkout"
    participant SemanticRelease as "python-semantic-release / publish-action"
    participant GitHub as "GitHub API (Installation Token)"

    Maintainer->>Secrets: Provide SEMANTIC_RELEASE_APP_ID & PRIVATE_KEY
    Secrets->>TokenAction: supply credentials
    TokenAction->>GitHub: request installation token
    GitHub-->>TokenAction: return installation token (steps.app-token.outputs.token)
    TokenAction-->>Workflow: expose token to subsequent steps
    Workflow->>Checkout: pass token to checkout step
    Workflow->>SemanticRelease: pass token to release/publish steps
    Checkout->>GitHub: perform repo checkout using token
    SemanticRelease->>GitHub: perform release/publish using token
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

🐰 A token sprung from moonlit keys,
Fresh for each release with nimble ease,
No stale secret left to stay,
I hop, I push, I dance—hooray! ✨🔑

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: replacing a static PAT (Personal Access Token) with a dynamically generated GitHub App token in the release workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/release-app-token

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@saada saada requested a review from k-chrispens April 2, 2026 15:40
@saada @k-chrispens
chore(release): use GitHub App token instead of PAT
fd3e07a 
Replace RELEASE_TOKEN PAT with dedicated GitHub App (diffuse-semantic-release)
for pushing version commits and tags. This allows removing admin bypass from
the branch ruleset so only the app can push directly to main.
@k-chrispens k-chrispens force-pushed the chore/release-app-token branch from 45a0543 to fd3e07a Compare April 3, 2026 06:40
k-chrispens
k-chrispens approved these changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@k-chrispens k-chrispens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!!

@k-chrispens k-chrispens merged commit 64afe6f into main Apr 3, 2026
1 check was pending
@k-chrispens k-chrispens deleted the chore/release-app-token branch April 3, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@k-chrispens k-chrispens k-chrispens approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@saada @k-chrispens