chore: use GitHub App token for releases

[OzBenSimhonTraceloop]

Replace GH_ACCESS_TOKEN with GitHub App token for better security and to avoid rate limiting issues.

Changes:

• Added GitHub App token generation step
• Updated checkout to use the app token
• Updated Git Identity step to use the app token
• Updated release creation to use the app token

Required secrets:

• CI_BOT_APP_ID
• CI_BOT_PRIVATE_KEY

---

Important

Replaces GH_ACCESS_TOKEN with a GitHub App token in the release workflow for improved security and reliability.

• Security:
  • Replaces GH_ACCESS_TOKEN with a GitHub App token for authentication in .github/workflows/release.yml.
  • Generates GitHub App token using actions/create-github-app-token@v2.
• Workflow:
  • Updates actions/checkout@v4 to use the app token.
  • Updates Git identity setup to use the app token.
  • Updates release creation to use the app token.
• Secrets:
  • Requires CI_BOT_APP_ID and CI_BOT_PRIVATE_KEY secrets for token generation.

^{This description was created by for 0d40157. You can customize this summary. It will automatically update as commits are pushed.}

---

Summary by CodeRabbit

• Chores
  • Updated the release workflow to use a GitHub App token for authentication across checkout, versioning, release creation, and changelog publishing.
  • Centralized token propagation so all subsequent workflow steps consistently use the generated app token, improving security and reliability of automated releases.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to b048541 in 10 seconds. Click for details.

• Reviewed 48 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_lZ7gDjW5M0z7BwgD

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Release workflow now generates a GitHub App token via actions/create-github-app-token@v2 and replaces prior GITHUB_TOKEN/secret usage with that token for checkout, versioning, release creation, and changelog publishing (git remote updated to x-access-token).

Changes

Cohort / File(s)	Summary
GitHub Workflow Authentication ​.github/workflows/release.yml	Add actions/create-github-app-token@v2 step to produce steps.app-token.outputs.token. Use that token for actions/checkout, git remote (x-access-token), Git identity env, version creation, release creation, and changelog publishing; replace previous GITHUB_TOKEN/secrets usage.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Maintainer
    participant Release_Workflow as "Release Workflow"
    participant Create_Token as "actions/create-github-app-token"
    participant GitHub_App as "GitHub App"
    participant Actions as "Actions (checkout/version/release)"
    participant Repo as "Repository API"

    Maintainer->>Release_Workflow: trigger release workflow
    Release_Workflow->>Create_Token: run with app-id & private-key
    Create_Token->>GitHub_App: request app installation token
    GitHub_App-->>Create_Token: return token
    Create_Token-->>Release_Workflow: outputs.token
    Release_Workflow->>Actions: checkout using token (x-access-token)
    Actions->>Repo: perform version bump / create release / publish changelog with token
    Repo-->>Actions: respond success
    Actions-->>Release_Workflow: steps complete

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I found a key beneath a log,
Signed and snug, not owned by fog.
Checkout, tag, and publish cheer—
The meadow's release hops near. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: use GitHub App token for releases' clearly summarizes the main change: replacing GH_ACCESS_TOKEN with a GitHub App token for the release workflow.
Linked Issues check	✅ Passed	The PR objectives align with the linked issue TLP-1728 by implementing GitHub App token usage to replace GH_ACCESS_TOKEN, improving security and addressing token deprecation.
Out of Scope Changes check	✅ Passed	All changes are within scope: the PR modifies only the release.yml workflow file to implement GitHub App token authentication, directly addressing the objectives without introducing unrelated changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch obs/gh_token_removal-TLP-1728

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 9-11: The permissions block currently grants the default
GITHUB_TOKEN unnecessary repo write access via "contents: write"; remove the
"contents: write" entry from the permissions map in
.github/workflows/release.yml (leave "id-token: write" intact) so the workflow
follows least-privilege and all write actions continue to use the app token
instead of GITHUB_TOKEN.

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed f636a45 in 8 seconds. Click for details.

• Reviewed 46 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_vckTv8ckr3o2hgdX

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 0d40157 in 6 seconds. Click for details.

• Reviewed 15 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_rt5M0gPz1iUpcFw0

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

50-56: ⚠️ Potential issue | 🟡 Minor

Update softprops/action-gh-release from v1 to v2.

The action is pinned to v1, which is outdated. The latest version is v2.5.0 with the major version available as @v2. Upgrade to benefit from bug fixes, improvements, and ongoing maintenance.

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

37-43: Consider using local git config instead of global.

While the runner is ephemeral, using --local (or omitting the flag, which defaults to local) is a better practice for CI environments. It ensures configuration is scoped to the repository and avoids potential issues with parallel jobs.

♻️ Suggested change

       - name: Git Identity
         run: |
-          git config --global user.name 'github-actions[bot]'
-          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git config user.name 'github-actions[bot]'
+          git config user.email 'github-actions[bot]@users.noreply.github.com'
           git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}