ci(release): switch token mint to client-id var#721
Merged
Conversation
The RELEASE_APP_ID org secret was deleted in favor of a RELEASE_APP_CLIENT_ID org variable (openemr#701). Three workflows still passed the deleted secret as app-id; build-patch.yml and build-release.yml were already on the client-id input but still pointed at the deleted secret as the source. Swap all five over to vars.RELEASE_APP_CLIENT_ID and update the plan doc and release-permissions-check.yml header comment to reflect the variable-vs-secret split. Private-key references unchanged. Assisted-by: Claude Code
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates release automation workflows and documentation to mint GitHub App tokens using the RELEASE_APP_CLIENT_ID organization variable instead of the removed RELEASE_APP_ID secret.
Changes:
- Replaces release App token inputs with
client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}. - Updates release permissions documentation/comments to describe the new variable plus existing private key secret.
- Removes remaining references to the deleted
RELEASE_APP_IDsecret in touched release workflows.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/build-patch.yml |
Uses the new org variable for release App token generation. |
.github/workflows/build-release.yml |
Uses the new org variable for release App token generation. |
.github/workflows/release-permissions-check.yml |
Updates token minting and explanatory comments. |
.github/workflows/release-rotation.yml |
Updates release App token minting for rotation automation. |
.github/workflows/ship-release.yml |
Updates release App token minting for cross-repo release shipping. |
docs/release-automation-plan.md |
Documents the new client-id variable/private-key secret pairing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The previous commit swapped these workflows to the client-id input, but v1 of actions/create-github-app-token only accepts app-id — client-id was added in v2+. Bump release-rotation.yml, release-permissions-check.yml, and ship-release.yml to @v3.1 to match what build-patch.yml and build-release.yml already use. Assisted-by: Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
RELEASE_APP_IDorg secret was deleted in favor of aRELEASE_APP_CLIENT_IDorg variable (#701). This swaps every workflow that mints a release App token to the new variable and updates the plan doc to match.Files touched:
.github/workflows/release-rotation.yml.github/workflows/release-permissions-check.yml.github/workflows/ship-release.yml.github/workflows/build-patch.yml.github/workflows/build-release.ymldocs/release-automation-plan.mdbuild-patch.ymlandbuild-release.ymlhad already moved to theclient-id:input but were still reading the deletedsecrets.RELEASE_APP_ID— this fixes that half-migrated state. Private-key references are unchanged.