fix(ci): pass GitHub App token to checkout for workflow triggering

[paulbalaji]

Summary

• Move token generation before checkout in release workflow
• Pass the GitHub App token to actions/checkout
• This allows subsequent pushes to trigger CI workflows

Problem

When the release workflow pushes commits (e.g., "Version Packages"), CI doesn't run on those commits. This is because:

1. actions/checkout configures git credentials at checkout time
2. By default, it uses GITHUB_TOKEN which cannot trigger other workflows (GitHub security feature)
3. GitHub App tokens can trigger workflows, but only if used for git authentication

Solution

Generate the token before checkout and pass it via the token parameter:

- name: Generate GitHub App Token
  id: generate-token
  uses: actions/create-github-app-token@v2
  ...

- uses: actions/checkout@v4
  with:
    token: ${{ steps.generate-token.outputs.token }}  # <-- This is key

Note: combine.yml and update-hyperlane-deps.yml already do this correctly.

Test Plan

• Merge this PR
• Trigger a release (e.g., merge a changeset)
• Verify CI runs on the "Version Packages" commit pushed by hyper-gonk

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Optimized internal release workflow to improve efficiency and reduce redundant processes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: f5e242b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow's GitHub App token generation gets consolidated into a single pre-checkout step, eliminating duplicate token creation previously scattered throughout the workflow. The generated token output now flows downstream to the Checkout step and subsequent operations.

Changes

Cohort / File(s)	Summary
Workflow Token Generation Refactor .github/workflows/release.yml	Moved GitHub App token generation to a pre-checkout step, removed duplicate token generation from the "Install Dependencies" section, and configured the token to be passed to Checkout and downstream steps via outputs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single workflow file with straightforward reorganization
• Token generation logic moved earlier, duplicate removed
• No complex logic changes or new dependencies

Possibly related PRs

• fix: use Hyper Gonk identity for git commits #1258: Modifies token generation and git credential configuration in the same workflow, working with outputs from the consolidated token step.
• fix: use bot user ID for proper avatar attribution in commits #1262: Adjusts GitHub App token generation and the "Get GitHub App User ID" step in the release workflow to align with centralized token creation.

Suggested reviewers

• xeno097

Poem

🌿 One token to rule 'em, one token, no more—
No copies, no clutter scattered cross the floor.
It flows downstream clean, like a swamp in the spring,
When one simple thing does the work of all things. 🧅

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: passing a GitHub App token to checkout for workflow triggering, which is the core fix addressed in this PR.
Description check	✅ Passed	The description includes all required template sections with detailed explanations of the summary, problem context, and solution approach, though the backward compatibility section is not explicitly addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/release-workflow-trigger-ci

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4e4f0b and f5e242b.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Release

🔇 Additional comments (3)

.github/workflows/release.yml (3)

21-28: Nice structure — token generation upfront.

Aye, this is done right. Generating the GitHub App token before checkout and squirreling away the step ID means all the rest of the workflow can use the outputs cleanly. The comments explain the why, which is helpful. No complaints here, this looks sound.

---

30-33: Git credentials now configured with the app token — good for workflow triggering.

By passing the GitHub App token to checkout, the bot commits will have the right credentials to trigger downstream workflows. This is the core of what we're after, and it's wired up properly. The token output reference matches what generate-github-app-token provides.

---

43-63: Downstream steps properly consume the token outputs.

All references to steps.generate-token.outputs.token and steps.generate-token.outputs.app-slug are valid. The actions/create-github-app-token@v2 action provides both outputs, confirming that the git configuration, gh CLI call, and changesets action are pulling from the correct token generation step without duplication or mixed sources.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}