ci: use GitHub App token for release-please workflow#94
Merged
Conversation
Replace the implicit GITHUB_TOKEN with a GitHub App-issued token so that release PRs, merges, tags, and GitHub Releases produced by release-please are attributed to the release-please bot instead of github-actions[bot], and so that downstream workflows (e.g. tag-based Docker build / deployment pipelines) can be triggered by the events release-please emits. Workflows triggered by GITHUB_TOKEN do not spawn additional workflow runs, which blocks the natural pattern of "release-please cuts the tag → tag push triggers Docker build". An installation token from a GitHub App bypasses that restriction. Required secrets: - RELEASE_PLEASE_APP_ID: the App ID of the GitHub App - RELEASE_PLEASE_PRIVATE_KEY: the App's private key (PEM) The App must be installed on this repository with at least these permissions: contents: write, pull-requests: write. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace floating tag refs with full commit SHAs so that workflow inputs cannot be silently changed by a tag re-point. Also bump release-please to v5.0.0 (current latest) per request. - actions/create-github-app-token v1 → v3.1.1 (1b10c78c7865c340bc4f6099eb2f838309f1e8c3) - googleapis/release-please-action v4 → v5.0.0 (45996ed1f6d02564a971a2fa1b5860e934307cf7) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
release-please workflow が使うトークンを GITHUB_TOKEN から GitHub App 発行のインストールトークンへ切り替えます。
背景
GITHUB_TOKEN で作られたタグや push は 他の workflow を起動しない 仕様です (docs)。release-please が自動で切るタグを起点に Docker build / デプロイ等の下流 workflow を発火させる典型パターンが、デフォルトのままでは成立しません。
GitHub App から発行したインストールトークンを使うとこの制約を回避でき、release-please が打ったタグから後続 workflow を連鎖起動できます。あわせて、リリース PR / タグ / GitHub Release の作成者が
github-actions[bot]ではなく App 名 (例:release-please-bot[bot]) で表示されるようになり、ノイズ除外の指定 (CODEOWNERS / Greptile 等) もより明確になります。変更内容
前提
リポジトリに以下の Secrets が設定済みであること (登録済み):
RELEASE_PLEASE_APP_IDRELEASE_PLEASE_PRIVATE_KEYGitHub App は本リポジトリにインストールされ、最低限以下の権限を持つこと:
テスト計画
🤖 Generated with Claude Code