Add GitHub App token support for release push#15
Merged
Conversation
Add optional release-app-id and release-app-private-key inputs (defaulting to PYBUILDER_RELEASE_APP_ID and PYBUILDER_RELEASE_APP_PRIVATE_KEY org secrets) to generate a GitHub App token via actions/create-github-app-token that can bypass branch protection rules. The app token is used for release commit push, GitHub Release creation, and dev version bump. Falls back to github-token when the app credentials are not provided.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release-app-idandrelease-app-private-keyinputs (default toPYBUILDER_RELEASE_APP_IDandPYBUILDER_RELEASE_APP_PRIVATE_KEYorg secrets)actions/create-github-app-token@v2when credentials are availablegithub-tokenwhen app credentials are not providedContext
GITHUB_TOKENcannot bypass branch protection rules (required status checks, required PRs). Thepybuilder-releaseGitHub App is installed on participating orgs with Contents read/write permission, allowing its tokens to push release commits and tags to protected branches.No workflow changes needed in consuming repos — the action picks up the secrets automatically via defaults.