Skip to content

Use GitHub App token for release uploads#2149

Merged
juliusmarminge merged 1 commit intomainfrom
feature/release-app-token
Apr 17, 2026
Merged

Use GitHub App token for release uploads#2149
juliusmarminge merged 1 commit intomainfrom
feature/release-app-token

Conversation

@juliusmarminge
Copy link
Copy Markdown
Member

@juliusmarminge juliusmarminge commented Apr 17, 2026
edited by macroscopeapp bot
Loading

Summary

  • Mint a GitHub App token at the start of the release job.
  • Use that token for Electron release asset uploads instead of the default workflow token.
  • Keep upload permissions scoped to the release app credentials configured in repository secrets.

Testing

  • Not run (workflow-only change).
  • Verified the release workflow YAML updates the upload steps to pass steps.app_token.outputs.token.
  • Verified the token is minted before checkout and available to both release upload steps.

Note

Medium Risk
Medium risk because it changes the credentials used by the release workflow; misconfigured app secrets/permissions could cause release creation or asset uploads to fail.

Overview
The release workflow now mints a GitHub App installation token (actions/create-github-app-token@v2) at the start of the release job.

Both softprops/action-gh-release@v2 steps (existing release and first release) are updated to use that App token via token: ${{ steps.app_token.outputs.token }}, instead of relying on the default workflow token.

Reviewed by Cursor Bugbot for commit 8f158bd. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Use GitHub App token for release uploads in the release workflow

The Publish GitHub Release job in release.yml now mints a GitHub App token via actions/create-github-app-token@v2 and passes it explicitly to both release publishing steps, replacing the default workflow token.

Macroscope summarized 8f158bd.

@juliusmarminge
Use GitHub App token for release asset uploads
8f158bd 
- Mint a release-scoped GitHub App token in the workflow
- Pass the token to asset upload steps
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 17, 2026

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8a42adb6-251f-4582-8132-0bcfb850c0cb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/release-app-token

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions bot added size:S 10-29 changed lines (additions + deletions). vouch:trusted PR author is trusted by repo permissions or the VOUCHED list. labels Apr 17, 2026
@juliusmarminge juliusmarminge merged commit 9df3c64 into main Apr 17, 2026
12 checks passed
@juliusmarminge juliusmarminge deleted the feature/release-app-token branch April 17, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size:S 10-29 changed lines (additions + deletions). vouch:trusted PR author is trusted by repo permissions or the VOUCHED list.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@juliusmarminge