From df121095162c7e1bd469307d0ca39e6ed3ff5588 Mon Sep 17 00:00:00 2001 From: uipreliga Date: Thu, 9 Jul 2026 12:14:14 +0200 Subject: [PATCH] ci: push release bump+tag with GITHUB_TOKEN instead of a GitHub App The release job failed at "Mint release app token" because RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY are not set on this repo. The App existed only to bypass main's branch protection when pushing the version bump + tag -- but main has no branch protection, so the App is unnecessary. Push directly with the built-in GITHUB_TOKEN (contents: write). This unblocks the release, which then publishes to public PyPI (the existing pending publisher: workflow release.yml, environment pypi) and the Azure feed. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/release.yml | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b14e10ab..6b6aa90d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,12 +30,12 @@ concurrency: group: release-${{ github.ref }} cancel-in-progress: false -# The version-bump commit + tag are pushed with a GitHub App installation -# token (not GITHUB_TOKEN): main's branch protection blocks direct pushes, -# and only the release app has a ruleset bypass. GITHUB_TOKEN is only used -# for the checkout's read access. +# `main` has no branch protection, so the version-bump commit + tag are +# pushed directly with the built-in GITHUB_TOKEN (contents: write) -- no +# GitHub App / ruleset bypass is required. If branch protection is added +# later, either add a GITHUB_TOKEN bypass or restore an app-token step. permissions: - contents: read + contents: write # push the version-bump commit + tag to main packages: write # push the versioned agent image to ghcr.io on release jobs: @@ -58,20 +58,12 @@ jobs: SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS: "openai-codex-cli-bin,openai-codex" steps: - - name: Mint release app token - id: app-token - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 - with: - app-id: ${{ secrets.RELEASE_APP_ID }} - private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} - - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # semantic-release needs full history for tags + changelog - # Persisted in .git config so semantic-release's push to main is - # authenticated as the app (which bypasses branch protection). - token: ${{ steps.app-token.outputs.token }} + # Default GITHUB_TOKEN is persisted in .git config so the bump + # commit + tag push to (unprotected) main is authenticated. - name: Set up Python 3.13 uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 @@ -89,7 +81,7 @@ jobs: - name: Run semantic-release (bump + tag, no push yet) id: release env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Passed via env (not interpolated into the script) per GitHub's # injection guidance; it's a constrained choice input regardless. BUMP: ${{ inputs.bump }}