Skip to content

ci: push release bump+tag with GITHUB_TOKEN instead of a missing GitHub App#7

Merged
uipreliga merged 1 commit into
mainfrom
ci/release-github-token-clean
Jul 9, 2026
Merged

ci: push release bump+tag with GITHUB_TOKEN instead of a missing GitHub App#7
uipreliga merged 1 commit into
mainfrom
ci/release-github-token-clean

Conversation

@uipreliga

Copy link
Copy Markdown
Collaborator

Problem

The first real Release run (dispatch on main) failed immediately at "Mint release app token":

Error: The 'client-id' (or deprecated 'app-id') input must be set to a non-empty string.

RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY are not configured on this repo, so the App token can't be minted — and publish-pypi (needs: release) was skipped. Nothing was published (safe failure).

Why the App isn't needed

The App token existed only to bypass branch protection when pushing the version-bump commit + tag. But main has no branch protection (Branch not protected), so a plain GITHUB_TOKEN with contents: write can push directly.

Change (1 file)

  • Remove the Mint release app token step.
  • Checkout uses the default GITHUB_TOKEN (persisted for the push).
  • permissions: contents: write (was read) to allow the bump/tag push.
  • semantic-release GH_TOKENsecrets.GITHUB_TOKEN.

No other behavior changes — the run still bumps the version, publishes to the Azure feed and public PyPI (existing pending publisher: workflow release.yml, env pypi), and pushes the GHCR image.

If branch protection is ever added to main, either add a GITHUB_TOKEN bypass entry or restore an app-token step.

🤖 Generated with Claude Code

The release job failed at "Mint release app token" because
RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY are not set on this repo. The
App existed only to bypass main's branch protection when pushing the
version bump + tag -- but main has no branch protection, so the App is
unnecessary. Push directly with the built-in GITHUB_TOKEN (contents:
write). This unblocks the release, which then publishes to public PyPI
(the existing pending publisher: workflow release.yml, environment pypi)
and the Azure feed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @uipreliga's task in 1m 35s —— View job


PR Review: Fix Release Workflow GitHub Token Issue

Review Tasks:

  • Read review guidelines from .github/code_review.md
  • Read project conventions from CLAUDE.md
  • View the full PR diff
  • Read the complete changed file for context
  • Perform cross-file consistency checks
  • Analyze "what's missing" aspects
  • Provide design-level scrutiny
  • Post comprehensive review

@uipreliga uipreliga merged commit 5d8c8de into main Jul 9, 2026
13 checks passed
@uipreliga uipreliga deleted the ci/release-github-token-clean branch July 9, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant