Skip to content

ci(release-please): use sw-release-bot app token for PR creation#4

Merged
polaz merged 1 commit intomainfrom
ci/#4-release-please-app-token
Apr 9, 2026
Merged

ci(release-please): use sw-release-bot app token for PR creation#4
polaz merged 1 commit intomainfrom
ci/#4-release-please-app-token

Conversation

@polaz
Copy link
Copy Markdown
Member

@polaz polaz commented Apr 9, 2026

Summary

  • Add actions/create-github-app-token step using RELEASER_APP_ID / RELEASER_APP_PRIVATE_KEY
  • Pass the generated token to googleapis/release-please-action

Problem

Release Please fails with:

GitHub Actions is not permitted to create or approve pull requests

The structured-world org blocks GITHUB_TOKEN from creating PRs. Other workflows in the org (e.g. publish.yml in structured-world/repo) already use the sw-release-bot GitHub App token for this purpose — same pattern applied here.

Closes #4

@polaz
ci(release-please): use sw-release-bot app token for PR creation
652a279 
org-level policy blocks GITHUB_TOKEN from creating PRs;
use RELEASER_APP_ID / RELEASER_APP_PRIVATE_KEY app token
(same pattern as publish.yml in structured-world/repo)
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 9, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 73dbbff9-269b-453e-8915-80b20dca073f

📥 Commits

Reviewing files that changed from the base of the PR and between 73c15b5 and 652a279.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml
📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated the release workflow authentication mechanism to use a GitHub App installation token instead of default authentication.

Walkthrough

The release workflow now uses a GitHub App installation token for release-please operations instead of relying on default authentication. The token is created via actions/create-github-app-token using RELEASER_APP_ID and RELEASER_APP_PRIVATE_KEY, then passed to the release-please action to enable PR creation.

Changes

Cohort / File(s) Summary
Release Workflow Token Auth
.github/workflows/release-please.yml		 Added actions/create-github-app-token step to generate a GitHub App token and pass it to googleapis/release-please-action to resolve PR creation permission restrictions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: using the sw-release-bot app token for PR creation in the release-please workflow.
Description check ✅ Passed The description is directly related to the changeset, clearly explaining the problem, solution, and the specific changes made to the workflow.
Linked Issues check ✅ Passed The code changes fully satisfy all objectives from issue #4: creating a GitHub App token step and passing it to release-please-action to resolve PR creation failures.
Out of Scope Changes check ✅ Passed All changes are scoped to the release-please workflow and directly address the requirements in issue #4; no out-of-scope modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/#4-release-please-app-token

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 9, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@polaz polaz requested a review from Copilot April 9, 2026 12:49
@polaz polaz merged commit fcc4750 into main Apr 9, 2026
9 checks passed
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Release Please workflow to authenticate PR creation using a GitHub App token instead of GITHUB_TOKEN, addressing org-level restrictions that prevent workflow tokens from opening PRs.

Changes:

  • Generate a GitHub App installation token via actions/create-github-app-token using RELEASER_APP_ID / RELEASER_APP_PRIVATE_KEY.
  • Pass the generated token into googleapis/release-please-action for PR creation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release-please.yml
steps:
- name: Generate release bot token
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency with other workflows in this repo (e.g., actions/checkout@… # v4 in ci.yml / release.yml), consider adding an inline version comment for the pinned actions/create-github-app-token@… SHA (e.g., # v1). This makes future dependency auditing/upgrades easier while keeping the security benefit of SHA pinning.

Suggested change
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v1

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@polaz