openemr · kojiromike · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/.github/workflows/build-patch.yml b/.github/workflows/build-patch.yml
@@ -73,7 +73,7 @@ jobs:
       id: app-token
       uses: actions/create-github-app-token@v3.1
       with:
-        client-id: ${{ secrets.RELEASE_APP_ID }}
+        client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
         private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
         owner: openemr
         repositories: openemr

diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml
@@ -73,7 +73,7 @@ jobs:
       id: app-token
       uses: actions/create-github-app-token@v3.1
       with:
-        client-id: ${{ secrets.RELEASE_APP_ID }}
+        client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
         private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
         owner: openemr
         repositories: openemr

diff --git a/.github/workflows/release-permissions-check.yml b/.github/workflows/release-permissions-check.yml
@@ -1,7 +1,8 @@
 name: Release Permissions Check
 
 # Manual probe of the release App's installed permissions on this repo.
-# Mints an App token from RELEASE_APP_ID + RELEASE_APP_PRIVATE_KEY and
+# Mints an App token from the RELEASE_APP_CLIENT_ID org variable +
+# RELEASE_APP_PRIVATE_KEY org secret and
 # exercises only what tools/release/ rotation needs (per docs/release-automation-plan.md).
 # Run after installing the App and after secrets rotations.
 
@@ -32,9 +33,9 @@ jobs:
 
       - name: Mint release App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v3.1
         with:
-          app-id: ${{ secrets.RELEASE_APP_ID }}
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
 
       - name: Probe — installation includes this repo

diff --git a/.github/workflows/release-rotation.yml b/.github/workflows/release-rotation.yml
@@ -42,9 +42,9 @@ jobs:
     steps:
       - name: Mint release App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v3.1
         with:
-          app-id: ${{ secrets.RELEASE_APP_ID }}
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
 
       - name: Checkout

diff --git a/.github/workflows/ship-release.yml b/.github/workflows/ship-release.yml
@@ -44,9 +44,9 @@ jobs:
     steps:
       - name: Mint release App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v3.1
         with:
-          app-id: ${{ secrets.RELEASE_APP_ID }}
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
           owner: openemr
           repositories: |

diff --git a/docs/release-automation-plan.md b/docs/release-automation-plan.md
@@ -93,7 +93,8 @@ host most of the rewrite logic.
 ## Permissions self-check
 
 `.github/workflows/release-permissions-check.yml` (manual `workflow_dispatch`).
-Mints an App token from `RELEASE_APP_ID` + `RELEASE_APP_PRIVATE_KEY` and
+Mints an App token from the `RELEASE_APP_CLIENT_ID` org variable +
+`RELEASE_APP_PRIVATE_KEY` org secret and
 probes only what this repo's rotation workflow needs:
 
 - `GET /installation/repositories` — confirm this repo is in the install list.