From f2d5df288bd7b28c7add6caaeb89d7edfc3f7754 Mon Sep 17 00:00:00 2001 From: Tabish Bidiwale Date: Sat, 10 Jan 2026 16:52:16 -0800 Subject: [PATCH 1/3] ci: use GitHub App token to trigger CI on version PR Replace GITHUB_TOKEN with a GitHub App token so that the version PR can trigger CI workflows. GITHUB_TOKEN cannot trigger workflows by design (to prevent infinite loops). Requires APP_ID variable and APP_PRIVATE_KEY secret to be configured. --- .github/workflows/release-prepare.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index c83e6f5b..f83a0439 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -34,6 +34,15 @@ jobs: - run: pnpm install --frozen-lockfile + # Generate GitHub App token to allow version PR to trigger CI workflows + # (GITHUB_TOKEN cannot trigger workflows by design) + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + # Opens/updates the Version Packages PR; publishes when the Version PR merges - name: Create/Update Version PR id: changesets @@ -45,7 +54,7 @@ jobs: # so package.json already contains the bumped version. publish: pnpm run release:ci env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # npm authentication handled via OIDC trusted publishing (no token needed) # Auto-merge the version PR when CI passes (reduces release to effectively 1 PR) @@ -53,4 +62,4 @@ jobs: if: steps.changesets.outputs.pullRequestNumber run: gh pr merge ${{ steps.changesets.outputs.pullRequestNumber }} --auto --squash env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} From cc3ddf7231ab4f9101600f9ae79e7b04e80e515a Mon Sep 17 00:00:00 2001 From: Tabish Bidiwale Date: Sat, 10 Jan 2026 17:35:10 -0800 Subject: [PATCH 2/3] ci: upgrade create-github-app-token to v2 --- .github/workflows/release-prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index f83a0439..d466eb5f 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -38,7 +38,7 @@ jobs: # (GITHUB_TOKEN cannot trigger workflows by design) - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@v2 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} From 4db30bcd832fa24500cdb29c5c34039bdb359c22 Mon Sep 17 00:00:00 2001 From: Tabish Bidiwale Date: Sat, 10 Jan 2026 17:43:23 -0800 Subject: [PATCH 3/3] ci: add commitMode github-api to trigger CI on version PR --- .github/workflows/release-prepare.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml index d466eb5f..7ce52a27 100644 --- a/.github/workflows/release-prepare.yml +++ b/.github/workflows/release-prepare.yml @@ -50,6 +50,8 @@ jobs: with: title: 'chore(release): version packages' createGithubReleases: true + # Use github-api to attribute commits to the GitHub App, enabling CI triggers + commitMode: github-api # Use CI-specific release script: relies on version PR having been merged # so package.json already contains the bumped version. publish: pnpm run release:ci