fix(ci): use GitHub App token for auto-commits to trigger CI#2871
fix(ci): use GitHub App token for auto-commits to trigger CI#2871amikofalvy merged 1 commit intomainfrom
Conversation
Bot commits pushed with the default GITHUB_TOKEN (github-actions[bot]) don't trigger workflow runs due to GitHub's infinite loop protection. This left PRs stuck waiting for required checks that never ran. Now uses the inkeep-internal-ci GitHub App token for OpenAPI snapshot commits (ci.yml) and auto-format commits (auto-format.yml), matching the pattern already used in release.yml. App token commits trigger downstream workflows. Fixes: PR #2866 stuck 30min waiting on CI after OpenAPI snapshot commit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
TL;DR — Switches auto-commit steps in CI and auto-format workflows from the default Key changes
Summary | 2 files | 1 commit | base: GitHub App token for bot commits
The pattern is identical in both files: generate the App token early, pass it as an
|
![pullfrog[bot]](https://avatars.githubusercontent.com/in/1768019?s=60&v=4){kind=small}
There was a problem hiding this comment.
Clean, well-scoped fix. The root cause analysis is correct — GITHUB_TOKEN commits deliberately don't trigger workflows to prevent infinite loops, and using a GitHub App token is the standard workaround.
Verified:
- The
create-github-app-tokenaction pin (d72941d797fd3113feb6b93fd0dec494b13a2547) matches the existing usage acrossrelease.yml,claude.yml,model-sync.yml, etc. - The
if [ -n "$APP_TOKEN" ]guard beforegit remote set-urlis a good defensive pattern — degrades gracefully if the token step is skipped or fails. ci.ymlcorrectly gates the token generation topull_requestevents from the same repo (not forks), matching the existing fork guard on the OpenAPI snapshot steps.auto-format.ymldoesn't need the fork check since the job-levelifalready skips fork PRs entirely.- Checkout steps correctly continue using
GITHUB_TOKEN(read-only access is sufficient); the app token is only used for the push where it matters.
No issues found.
Claude Opus | 𝕏
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Review Summary
(0) Total Issues | Risk: Low
Analysis
This PR correctly addresses the issue where auto-commits using the default GITHUB_TOKEN don't trigger downstream CI workflows (a deliberate GitHub protection against infinite loops). The solution uses the inkeep-internal-ci GitHub App token, which is already established across multiple workflows in this repository.
Key observations:
-
Consistency with existing patterns ✅ — The implementation matches the exact pattern used in
release.yml,claude.yml,claude-code-review.yml,model-sync.yml, andclosed-pr-review-auto-improver.yml:- Same action pinned to the same commit hash (
d72941d797fd3113feb6b93fd0dec494b13a2547) - Same secrets (
INTERNAL_CI_APP_ID,INTERNAL_CI_APP_PRIVATE_KEY) - Same step ID (
app-token)
- Same action pinned to the same commit hash (
-
Security considerations ✅
- Action is pinned to commit hash (supply chain protection)
- Fork PRs are excluded in
ci.ymlviagithub.event.pull_request.head.repo.full_name == github.repository - Tokens passed via env vars are automatically masked by GitHub Actions
- Graceful fallback with
if [ -n "$APP_TOKEN" ]check
-
Implementation correctness ✅
- The
git remote set-urlis executed before the push in both workflows - Conditional logic properly gates token generation to when it's needed
- Comments clearly explain the rationale
- The
-
No changeset needed — This is a CI/tooling-only change with no user-facing package modifications.
✅ APPROVE
Summary: Clean, well-documented CI fix that follows established patterns. The implementation correctly solves the problem of auto-commits not triggering downstream workflows, and the test plan in the PR description provides good verification steps.
Reviewers (3)
| Reviewer | Returned | Main Findings | Consider | While You're Here | Inline Comments | Pending Recs | Discarded |
|---|---|---|---|---|---|---|---|
pr-review-devops |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-standards |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
pr-review-appsec |
0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
The changesets/action pushes commits using the default GITHUB_TOKEN credential, which GitHub ignores for triggering downstream workflows. This left the Version Packages PR (#2881) stuck with required checks (ci, Cypress E2E, Create Agents E2E) permanently waiting. Configures the git remote URL with the inkeep-internal-ci App token before changesets/action runs — same pattern applied to ci.yml and auto-format.yml in #2871. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The changesets/action pushes commits using the default GITHUB_TOKEN credential, which GitHub ignores for triggering downstream workflows. This left the Version Packages PR (#2881) stuck with required checks (ci, Cypress E2E, Create Agents E2E) permanently waiting. Configures the git remote URL with the inkeep-internal-ci App token before changesets/action runs — same pattern applied to ci.yml and auto-format.yml in #2871. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(ci): configure git remote with App token in release workflow The changesets/action pushes commits using the default GITHUB_TOKEN credential, which GitHub ignores for triggering downstream workflows. This left the Version Packages PR (#2881) stuck with required checks (ci, Cypress E2E, Create Agents E2E) permanently waiting. Configures the git remote URL with the inkeep-internal-ci App token before changesets/action runs — same pattern applied to ci.yml and auto-format.yml in #2871. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * perf(ci): skip container init for changeset PRs by extracting check job Service containers (Doltgres, Postgres) in cypress-e2e and create-agents-e2e were initialized before the changeset check ran, wasting ~30s of ubuntu-32gb runner time on every changeset PR. Extracts the changeset check into a lightweight job on ubuntu-latest that runs first. The heavy jobs now depend on it via `needs:` and skip entirely (including container init) when it's a changeset PR. Also removes all redundant step-level `if: changeset-check` guards since the job-level `if` already gates everything. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(ci): extract changeset check into reusable composite action The changeset detection logic (~60 lines of shell) was duplicated across ci.yml and cypress.yml. Extracts it into a shared composite action at .github/composite-actions/changeset-check/action.yml. Both workflows now do a sparse checkout (just the composite action directory) and delegate to the shared action, keeping the changeset detection logic in one place. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The changesets/action pushes commits using the default GITHUB_TOKEN credential, which GitHub ignores for triggering downstream workflows. This left the Version Packages PR (#2881) stuck with required checks (ci, Cypress E2E, Create Agents E2E) permanently waiting. Configures the git remote URL with the inkeep-internal-ci App token before changesets/action runs — same pattern applied to ci.yml and auto-format.yml in #2871. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(ci): configure git remote with App token in release workflow The changesets/action pushes commits using the default GITHUB_TOKEN credential, which GitHub ignores for triggering downstream workflows. This left the Version Packages PR (#2881) stuck with required checks (ci, Cypress E2E, Create Agents E2E) permanently waiting. Configures the git remote URL with the inkeep-internal-ci App token before changesets/action runs — same pattern applied to ci.yml and auto-format.yml in #2871. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * perf(ci): skip container init for changeset PRs by extracting check job Service containers (Doltgres, Postgres) in cypress-e2e and create-agents-e2e were initialized before the changeset check ran, wasting ~30s of ubuntu-32gb runner time on every changeset PR. Extracts the changeset check into a lightweight job on ubuntu-latest that runs first. The heavy jobs now depend on it via `needs:` and skip entirely (including container init) when it's a changeset PR. Also removes all redundant step-level `if: changeset-check` guards since the job-level `if` already gates everything. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(ci): extract changeset check into reusable composite action The changeset detection logic (~60 lines of shell) was duplicated across ci.yml and cypress.yml. Extracts it into a shared composite action at .github/composite-actions/changeset-check/action.yml. Both workflows now do a sparse checkout (just the composite action directory) and delegate to the shared action, keeping the changeset detection logic in one place. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 participant
Summary
GITHUB_TOKEN(github-actions[bot]) don't trigger workflow runs — a deliberate GitHub protection against infinite loopsinkeep-internal-ciGitHub App token (already used inrelease.yml) for both OpenAPI snapshot commits (ci.yml) and auto-format commits (auto-format.yml)inkeep-internal-ci[bot]which triggers downstream workflow runsTest plan
INTERNAL_CI_APP_IDandINTERNAL_CI_APP_PRIVATE_KEYsecrets are accessible to both workflows🤖 Generated with Claude Code