ci: replace GitHub App token with GITHUB_TOKEN in release workflows

[guibeira]

Summary

• Remove GitHub App token (GH_APP_ID/GH_APP_PRIVATE_KEY) from _rust-binary.yml and release.yml, using GITHUB_TOKEN instead
• Aligns with the change already done for the VSCode extension release in cc579c8
• Fixes the release-lsp-binary workflow failure caused by missing GH_APP_ID secret

Test plan

• Run release-lsp-binary workflow via workflow_dispatch with a dry-run tag (e.g., iii-lsp/v0.1.0-dry-run.1)
• Verify image-resize release still works after token removal

Summary by CodeRabbit

• Chores
  • Streamlined CI/CD authentication in release workflows by removing custom GitHub App token generation and transitioning to standard GitHub token authentication. Simplified secret handling across release pipelines to improve maintainability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes simplify GitHub Actions workflows by removing custom GitHub App token generation and replacing it with the default github.token (GITHUB_TOKEN) or secrets: inherit pattern, eliminating requirements for GH_APP_ID and GH_APP_PRIVATE_KEY secrets across multiple release workflows.

Changes

Cohort / File(s)	Summary
Reusable Workflow Template .github/workflows/_rust-binary.yml	Removed required workflow-call secrets (GH_APP_ID, GH_APP_PRIVATE_KEY) and deleted the GitHub App token generation step. Updated the binary upload action to use ${{ github.token }} instead of the generated token.
Release Workflow Callers .github/workflows/release-lsp-binary.yml, .github/workflows/release.yml	Removed explicit GitHub App token generation steps and replaced explicit secret mappings with secrets: inherit, allowing downstream workflows to receive secrets from parent context. Updated checkout and release steps to use default authentication.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: add release workflows for iii-lsp and vscode extension #20: Removes the same actions/create-github-app-token@v2 pattern from CI release workflows, switching to default GITHUB_TOKEN authentication.
• ci: add pipeline for iii-lsp #22: Introduces the release-lsp-binary.yml workflow that this PR modifies by removing GitHub App token generation.
• ci: add release pipelines for iii-lsp and VSCode extension #17: Modifies the same GitHub Actions workflows, specifically adjusting GitHub App token generation and secret handling patterns.

Suggested reviewers

• andersonleal

Poem

🐰 wiggles nose No more secrets spinning 'round,
GITHUB_TOKEN keeps us sound!
Token chains all swept away,
Cleaner workflows brighten the day! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: replacing GitHub App tokens with GITHUB_TOKEN in release workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-token-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-lsp-binary.yml:
- Line 101: Remove the unnecessary "secrets: inherit" entry in the reusable
workflow call in release-lsp-binary.yml (the line that currently forwards all
secrets) because the called reusable workflow _rust-binary.yml declares no
workflow_call.secrets and doesn't reference secrets; delete that "secrets:
inherit" line from the workflow call so you don't forward every repository
secret to the called workflow or its third-party actions, and confirm that no
workflow_call.secrets are expected by the _rust-binary.yml workflow before
committing.

In @.github/workflows/release.yml:
- Line 101: Remove the unnecessary secrets inheritance: locate the reusable
workflow call that currently includes the key "secrets: inherit" (the invocation
of the _rust-binary reusable workflow) and delete that "secrets: inherit" line
so the caller no longer passes secrets to the callee; leave the rest of the
workflow_call invocation intact so the reusable workflow continues to use
github.token as before.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c831beb8-68b3-4dc0-b3db-7fa0da474e43

📥 Commits

Reviewing files that changed from the base of the PR and between f1b4874 and 135f19a.

📒 Files selected for processing (3)

• .github/workflows/_rust-binary.yml
• .github/workflows/release-lsp-binary.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

wf=".github/workflows/_rust-binary.yml"

echo "== workflow_call header =="
sed -n '1,40p' "$wf"

echo
echo "== direct secret references in reusable workflow =="
rg -n -C2 '\bsecrets\.' "$wf" || true

echo
echo "== actions invoked by reusable workflow =="
rg -n '^\s*-?\s*uses:\s+' "$wf"

Repository: iii-hq/workers

Length of output: 1588

---

Remove unnecessary secret inheritance.

Line 101 forwards every available secret into the reusable workflow even though .github/workflows/_rust-binary.yml declares no workflow_call.secrets and contains no secrets. references. This unnecessarily broadens secret exposure to the called workflow and its third-party actions.

Suggested fix

   binary-build:
     name: Binary Release
     needs: [setup, create-release]
     if: ${{ !failure() && !cancelled() }}
     uses: ./.github/workflows/_rust-binary.yml
     with:
       bin_name: iii-lsp
       manifest_path: iii-lsp/Cargo.toml
       tag_name: ${{ needs.setup.outputs.tag }}
       is_prerelease: ${{ needs.setup.outputs.is_prerelease == 'true' }}
       skip_create_release: true
       dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
-    secrets: inherit

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-lsp-binary.yml at line 101, Remove the unnecessary
"secrets: inherit" entry in the reusable workflow call in release-lsp-binary.yml
(the line that currently forwards all secrets) because the called reusable
workflow _rust-binary.yml declares no workflow_call.secrets and doesn't
reference secrets; delete that "secrets: inherit" line from the workflow call so
you don't forward every repository secret to the called workflow or its
third-party actions, and confirm that no workflow_call.secrets are expected by
the _rust-binary.yml workflow before committing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

wf=".github/workflows/_rust-binary.yml"

echo "== workflow_call header =="
sed -n '1,40p' "$wf"

echo
echo "== direct secret references in reusable workflow =="
rg -n -C2 '\bsecrets\.' "$wf" || true

echo
echo "== lines using github.token =="
rg -n -C1 '\bgithub\.token\b' "$wf"

Repository: iii-hq/workers

Length of output: 1453

---

Remove secrets: inherit — the reusable workflow does not declare or use secret inputs.

The .github/workflows/_rust-binary.yml workflow defines no secrets in its workflow_call interface and uses github.token for authentication (line 132). Passing secrets: inherit unnecessarily over-permissions the callee.

Suggested fix

   binary-build:
     name: Binary Release
     needs: [setup, create-release]
     if: ${{ !failure() && !cancelled() }}
     uses: ./.github/workflows/_rust-binary.yml
     with:
       bin_name: image-resize
       manifest_path: image-resize/Cargo.toml
       tag_name: ${{ needs.setup.outputs.tag }}
       is_prerelease: ${{ needs.setup.outputs.is_prerelease == 'true' }}
       skip_create_release: true
       dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
-    secrets: inherit

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	secrets: inherit
	binary-build:
	name: Binary Release
	needs: [setup, create-release]
	if: ${{ !failure() && !cancelled() }}
	uses: ./.github/workflows/_rust-binary.yml
	with:
	bin_name: image-resize
	manifest_path: image-resize/Cargo.toml
	tag_name: ${{ needs.setup.outputs.tag }}
	is_prerelease: ${{ needs.setup.outputs.is_prerelease == 'true' }}
	skip_create_release: true
	dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 101, Remove the unnecessary secrets
inheritance: locate the reusable workflow call that currently includes the key
"secrets: inherit" (the invocation of the _rust-binary reusable workflow) and
delete that "secrets: inherit" line so the caller no longer passes secrets to
the callee; leave the rest of the workflow_call invocation intact so the
reusable workflow continues to use github.token as before.