Skip to content

fix(ci): pass GitHub App token to checkout for workflow triggering#1264

Merged
paulbalaji merged 1 commit intomainfrom
fix/release-workflow-trigger-ci
Dec 3, 2025
Merged

fix(ci): pass GitHub App token to checkout for workflow triggering#1264
paulbalaji merged 1 commit intomainfrom
fix/release-workflow-trigger-ci

Conversation

@paulbalaji
Copy link
Collaborator

@paulbalaji paulbalaji commented Dec 3, 2025

Summary

  • Move token generation before checkout in release workflow
  • Pass the GitHub App token to actions/checkout
  • This allows subsequent pushes to trigger CI workflows

Problem

When the release workflow pushes commits (e.g., "Version Packages"), CI doesn't run on those commits. This is because:

  1. actions/checkout configures git credentials at checkout time
  2. By default, it uses GITHUB_TOKEN which cannot trigger other workflows (GitHub security feature)
  3. GitHub App tokens can trigger workflows, but only if used for git authentication

Solution

Generate the token before checkout and pass it via the token parameter:

- name: Generate GitHub App Token
  id: generate-token
  uses: actions/create-github-app-token@v2
  ...

- uses: actions/checkout@v4
  with:
    token: ${{ steps.generate-token.outputs.token }}  # <-- This is key

Note: combine.yml and update-hyperlane-deps.yml already do this correctly.

Test Plan

  • Merge this PR
  • Trigger a release (e.g., merge a changeset)
  • Verify CI runs on the "Version Packages" commit pushed by hyper-gonk

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Optimized internal release workflow to improve efficiency and reduce redundant processes.

✏️ Tip: You can customize this high-level summary in your review settings.

Move token generation before checkout and pass the token to
actions/checkout. This ensures git credentials are configured with
the GitHub App token, allowing subsequent pushes to trigger CI
workflows.

Previously, checkout used the default GITHUB_TOKEN which cannot
trigger other workflows (GitHub security feature). GitHub App tokens
can trigger workflows, but only if used for git authentication.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@changeset-bot
Copy link

changeset-bot bot commented Dec 3, 2025

⚠️ No Changeset found

Latest commit: f5e242b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@paulbalaji paulbalaji enabled auto-merge December 3, 2025 13:19
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 3, 2025

📝 Walkthrough

Walkthrough

The release workflow's GitHub App token generation gets consolidated into a single pre-checkout step, eliminating duplicate token creation previously scattered throughout the workflow. The generated token output now flows downstream to the Checkout step and subsequent operations.

Changes

Cohort / File(s) Summary
Workflow Token Generation Refactor
.github/workflows/release.yml
Moved GitHub App token generation to a pre-checkout step, removed duplicate token generation from the "Install Dependencies" section, and configured the token to be passed to Checkout and downstream steps via outputs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

  • Single workflow file with straightforward reorganization
  • Token generation logic moved earlier, duplicate removed
  • No complex logic changes or new dependencies

Possibly related PRs

Suggested reviewers

  • xeno097

Poem

🌿 One token to rule 'em, one token, no more—
No copies, no clutter scattered cross the floor.
It flows downstream clean, like a swamp in the spring,
When one simple thing does the work of all things. 🧅

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically summarizes the main change: passing a GitHub App token to checkout for workflow triggering, which is the core fix addressed in this PR.
Description check ✅ Passed The description includes all required template sections with detailed explanations of the summary, problem context, and solution approach, though the backward compatibility section is not explicitly addressed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/release-workflow-trigger-ci

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4e4f0b and f5e242b.

📒 Files selected for processing (1)
  • .github/workflows/release.yml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Release
🔇 Additional comments (3)
.github/workflows/release.yml (3)

21-28: Nice structure — token generation upfront.

Aye, this is done right. Generating the GitHub App token before checkout and squirreling away the step ID means all the rest of the workflow can use the outputs cleanly. The comments explain the why, which is helpful. No complaints here, this looks sound.


30-33: Git credentials now configured with the app token — good for workflow triggering.

By passing the GitHub App token to checkout, the bot commits will have the right credentials to trigger downstream workflows. This is the core of what we're after, and it's wired up properly. The token output reference matches what generate-github-app-token provides.


43-63: Downstream steps properly consume the token outputs.

All references to steps.generate-token.outputs.token and steps.generate-token.outputs.app-slug are valid. The actions/create-github-app-token@v2 action provides both outputs, confirming that the git configuration, gh CLI call, and changesets action are pulling from the correct token generation step without duplication or mixed sources.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@paulbalaji paulbalaji added this pull request to the merge queue Dec 3, 2025
Merged via the queue into main with commit fd8fd13 Dec 3, 2025
11 checks passed
@paulbalaji paulbalaji deleted the fix/release-workflow-trigger-ci branch December 3, 2025 13:25
christopherbrumm pushed a commit that referenced this pull request Dec 15, 2025
christopherbrumm pushed a commit that referenced this pull request Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants