ci(release): authenticate as ccpluginizer-release-bot GitHub App#22
Merged
Conversation
Previously, release.yml used the default GITHUB_TOKEN for both the changesets action (which opens version-packages PRs) and for git operations during checkout. Two problems with that: 1. GitHub's safety policy prevents downstream workflows from being triggered by events that GITHUB_TOKEN initiated. So when changesets opened a release PR, validate.yml and changeset-check did not run on it, leaving required checks permanently pending. Combined with the branch protection added in #19, release PRs became unmergeable without admin-override. 2. GITHUB_TOKEN is scoped per-workflow-run and can't be reused for long-running automation. Switching to a dedicated GitHub App (ccpluginizer-release-bot) fixes both. PRs opened by the App are authored by an entity that is *not* GITHUB_TOKEN, so they trigger their own CI like normal. The App has exactly contents:write + pull-requests:write + metadata:read scopes — nothing more — and is installed only on this repo. Also: bump actions/setup-node from v4 to v6 to silence the Node 20 deprecation warning. The v6.4.0 line runs on Node 24, the runner's default starting June 2026. Empty changeset (CI config change, no published-package impact).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the release workflow authenticate as a dedicated GitHub App (`ccpluginizer-release-bot`) instead of using the default `GITHUB_TOKEN`. Fixes the bot-PR-checks-never-run trap. Also bumps `actions/setup-node` to v6 to silence the Node 20 deprecation warning.
The trap this fixes
PR #21 demonstrated it: `changesets/action` opened the v0.5.0 release PR using `GITHUB_TOKEN`, but GitHub's safety policy blocks events from triggering downstream workflows when initiated via `GITHUB_TOKEN`. Result: `validate` + `changeset-check` never ran on PR #21, but branch protection (added in #19) requires them, so the PR was unmergeable except via admin override.
The App-token flow uses a non-`GITHUB_TOKEN` identity, which falls outside that safety policy. Future release PRs will trigger their own CI normally and merge through the standard "checks green → click merge" flow.
Changes to `release.yml`
New first step: `actions/create-github-app-token@v2` mints an installation token from the App's credentials.
Checkout uses the App token: `actions/checkout@v6` now receives `token: ${{ steps.app-token.outputs.token }}`, so subsequent git operations are authenticated as the App. Required for commits the changesets action makes during `bun ci:version`.
Changesets uses the App token: `GITHUB_TOKEN` env in the `changesets/action@v1` step now uses the App token instead of the default. This is what causes PRs opened by changesets to count as App-authored and trigger downstream workflows.
`actions/setup-node@v4` → `@v6`: silences the Node 20 deprecation warning. v6.4.0 runs on Node 24 (the runner's default starting June 2026).
App configuration (already set up out-of-band)
Test plan