ci: mint homebrew-tap token via GitHub App instead of PAT#105
Merged
Conversation
Replaces the classic-PAT-based auth for updating gleanwork/homebrew-tap with a short-lived token minted by a GitHub App at workflow runtime. PATs expire (v0.15.0 release hit a 401 when the existing one went stale); app-minted tokens are 1-hour tokens generated per run so there is nothing to rotate. Requires two new repo secrets, populated separately: - HOMEBREW_TAP_APP_ID app ID of the gleanwork-scoped App - HOMEBREW_TAP_APP_PRIVATE_KEY PEM contents The existing HOMEBREW_TAP_GITHUB_TOKEN secret is no longer referenced and can be removed once the next release succeeds. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
chris-freeman-glean
approved these changes
May 1, 2026
3 tasks
2 tasks
steve-calvert-glean
added a commit
that referenced
this pull request
May 2, 2026
#108) Tags pushed by the default GITHUB_TOKEN do not fire downstream workflows (GitHub anti-loop protection). When release-please merged the v0.16.0 release PR and created the v0.16.0 tag using GITHUB_TOKEN, release.yml never ran — binaries and homebrew-tap were stuck until the tag was manually re-pushed from a local session. Fix: release-please-action now uses a token minted by the existing GitHub App (the one set up for homebrew-tap in #105). App-minted tokens bypass the anti-loop filter, so tag pushes from release-please fire release.yml normally. Reuses the existing HOMEBREW_TAP_APP_ID / HOMEBREW_TAP_APP_PRIVATE_KEY secrets. The App is now installed on both gleanwork/homebrew-tap and gleanwork/glean-cli. Naming mismatch acknowledged; can rename the secrets in a follow-up if desired. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the release workflow to mint a short-lived installation token at runtime instead of relying on a static PAT.
Test plan