Skip to content

ci: use GitHub App token to trigger CI on version PR #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TabishB merged 2 commits into from
Jan 11, 2026
Merged

ci: use GitHub App token to trigger CI on version PR #476

TabishB merged 2 commits into from
Jan 11, 2026

Conversation

@TabishB
Copy link
Contributor

@TabishB TabishB commented Jan 11, 2026
edited by coderabbitai bot
Loading

Summary

  • Uses GitHub App token instead of GITHUB_TOKEN for the changesets action
  • This allows the version PR to trigger CI workflows (required for auto-merge to work)
  • GITHUB_TOKEN cannot trigger workflows by design (prevents infinite loops)

Changes

  • Added actions/create-github-app-token@v1 step to generate token
  • Updated changesets/action to use the app token
  • Updated auto-merge step to use the app token

Prerequisites

Already configured:

  • GitHub App created (openspec-release-bot)
  • App installed on OpenSpec repository
  • APP_ID variable added
  • APP_PRIVATE_KEY secret added

Expected Flow After Merge

Feature PR merged → Release workflow runs → Version PR created
    → CI triggers on Version PR → CI passes → Auto-merges → Publishes to npm

Test plan

  • Merge this PR
  • Merge a feature PR with a changeset
  • Verify CI runs on the version PR (not just created, but CI actually triggers)
  • Verify auto-merge completes after CI passes

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Release workflow authentication updated to use a generated GitHub App token for publishing and auto-merge, improving reliability and security.
    • Token generation now occurs earlier in the workflow so subsequent release and publish steps use the app-generated credential.

✏️ Tip: You can customize this high-level summary in your review settings.

@TabishB
ci: use GitHub App token to trigger CI on version PR
f2d5df2 
Replace GITHUB_TOKEN with a GitHub App token so that the version PR
can trigger CI workflows. GITHUB_TOKEN cannot trigger workflows by
design (to prevent infinite loops).

Requires APP_ID variable and APP_PRIVATE_KEY secret to be configured.
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 11, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds a new step to .github/workflows/release-prepare.yml that generates a GitHub App token via actions/create-github-app-token@v2 and sets GITHUB_TOKEN and GH_TOKEN from that output; subsequent publish and auto-merge steps use the generated token instead of secrets.GITHUB_TOKEN.

Changes

Cohort / File(s) Summary
CI workflow token generation
/.github/workflows/release-prepare.yml		 Inserted a step using actions/create-github-app-token@v2 to generate a GitHub App token before Version PR creation. Downstream steps now set GITHUB_TOKEN and GH_TOKEN from the action output instead of secrets.GITHUB_TOKEN/secrets.GH_TOKEN, changing the authentication source for publishing and auto-merge.

Sequence Diagram(s)

sequenceDiagram
  participant Runner as Actions Runner
  participant CreateToken as create-github-app-token@v2
  participant GitHub as GitHub API
  participant Steps as Publish / Auto-merge Steps

  Runner ->> CreateToken: invoke action (app id, private key)
  CreateToken ->> GitHub: request app installation token
  GitHub -->> CreateToken: return token
  CreateToken -->> Runner: output token (GITHUB_TOKEN, GH_TOKEN)
  Runner ->> Steps: run publish/auto-merge with generated tokens
  Steps ->> GitHub: perform publish / create PR / merge using app token
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

🐰 A hop, a key, a tiny bright token,

I fetched it at dawn while the old one was broken.
Pipelines hum, PRs glide and merge,
A burrow of commits in tidy new surge.
🥕✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: replacing GITHUB_TOKEN with a GitHub App token in the CI workflow to enable CI triggering on the version PR, which is the core objective of this change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2d5df2 and cc3ddf7.

📒 Files selected for processing (1)
  • .github/workflows/release-prepare.yml
🔇 Additional comments (3)
.github/workflows/release-prepare.yml (3)

57-57: LGTM: Token correctly propagated to changesets action.

This change enables the version PR to trigger CI workflows, which is the core objective of this PR.

65-65: LGTM: Auto-merge correctly uses the generated token.

The token is consistently applied to both the changesets action and the auto-merge step, ensuring both operations have the necessary permissions.

37-44: Approach is correct and uses current version.

Using a GitHub App token to trigger CI workflows is the right approach and follows best practices. The action version is current—v2 matches the latest major version (v2.2.1 as of Dec 2025), and the floating tag will automatically receive security updates within the v2 line.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@vibe-kanban-cloud
Copy link

vibe-kanban-cloud bot commented Jan 11, 2026

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.

coderabbitai[bot]
coderabbitai bot reviewed Jan 11, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.github/workflows/release-prepare.yml:
- Around line 37-44: The workflow step with id "app-token" currently uses
actions/create-github-app-token@v1; update it to the v2 release pinned to a full
commit SHA instead of a floating tag to follow security hardening. Replace the
"uses: actions/create-github-app-token@v1" line in the "Generate GitHub App
Token" step with the v2 equivalent pinned to the specific commit SHA (e.g.,
actions/create-github-app-token@<full-commit-sha>) so the action is on the v2
code but immutable.
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eb152eb and f2d5df2.

📒 Files selected for processing (1)
  • .github/workflows/release-prepare.yml
🔇 Additional comments (2)
.github/workflows/release-prepare.yml (2)

57-57: LGTM! Correct token replacement for triggering CI.

The App token will allow the version PR to trigger CI workflows, which is the intended behavior and resolves the limitation of GITHUB_TOKEN.

65-65: LGTM! Consistent token usage for auto-merge.

The App token is correctly used for the gh CLI command. Ensure the GitHub App has the pull_requests: write permission configured (mentioned as already set up in the prerequisites).

.github/workflows/release-prepare.yml
Comment on lines 37 to 44
# Generate GitHub App token to allow version PR to trigger CI workflows
# (GITHUB_TOKEN cannot trigger workflows by design)
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/create-github-app-token latest version releases GitHub Actions

💡 Result:

The current released major version is v2 — use actions/create-github-app-token@v2. [1][2]

Sources:
[1] actions/create-github-app-token (GitHub repo).
[2] Create GitHub App Token (GitHub Marketplace).

🌐 Web query:

GitHub Actions version pinning best practices floating tags security

💡 Result:

Concise best-practices for pinning GitHub Actions and avoiding floating-tag risks:

  • Pin to a full commit SHA (immutable) whenever possible — SHA pinning is the strongest protection against tag moves/compromise. (docs.github.com)
  • Avoid floating refs like @main, @master, @latest or loose major tags (e.g., @V3) for third‑party actions; they can change unexpectedly. (docs.github.com)
  • If you must use tags for convenience, prefer immutable/release tags from trusted/verified creators and record the corresponding SHA in a comment. (docs.github.com)
  • Enforce org/repo policies that require SHA pinning or block unpinned/floating actions (use Allowed Actions / reusable-workflows policy). (docs.github.com)
  • Automate safe updates: use Dependabot / Renovate or pinning tools to raise PRs that update SHAs so changes are reviewed before merging. (github.com)
  • Restrict runtime blast radius: least‑privilege GITHUB_TOKEN permissions, avoid passing secrets to untrusted actions, and require approvals for sensitive workflows/environments. (docs.github.com)
  • Audit action code (or favor official/verified authors) and monitor for security advisories or compromises. (docs.github.com)

Example (recommended):

  • uses: actions/checkout@ # vX.Y.Z

If you want, I can: scan a repo/workflows for floating tags and produce a PR-ready list of replacements (SHAs + comments).

Citations:

Upgrade to actions/create-github-app-token@v2 and pin to a specific commit SHA.

The action is using @v1, which is outdated; the current released version is @v2. More importantly, using floating major version tags (whether @v1 or @v2) carries security risks. Per GitHub's security hardening guidelines, pin to a full commit SHA for immutability and to prevent unexpected behavior from tag updates. Example:

uses: actions/create-github-app-token@<full-commit-sha>  # v2.Y.Z
🤖 Prompt for AI Agents 
In @.github/workflows/release-prepare.yml around lines 37 - 44, The workflow
step with id "app-token" currently uses actions/create-github-app-token@v1;
update it to the v2 release pinned to a full commit SHA instead of a floating
tag to follow security hardening. Replace the "uses:
actions/create-github-app-token@v1" line in the "Generate GitHub App Token" step
with the v2 equivalent pinned to the specific commit SHA (e.g.,
actions/create-github-app-token@<full-commit-sha>) so the action is on the v2
code but immutable.

@TabishB TabishB merged commit 8f5a526 into main Jan 11, 2026
6 of 7 checks passed
@TabishB TabishB deleted the github-app-token branch January 11, 2026 01:38
This was referenced Jan 11, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TabishB