Skip to content

feat(ci): BEE-2224 release-please uses GitHub App token#31

Merged
alfredrc merged 1 commit into
developfrom
milestone/phase-1-beeping-core
May 9, 2026
Merged

feat(ci): BEE-2224 release-please uses GitHub App token#31
alfredrc merged 1 commit into
developfrom
milestone/phase-1-beeping-core

Conversation

@alfredrc
Copy link
Copy Markdown
Member

@alfredrc alfredrc commented May 9, 2026

Summary

Permanent fix for the manual tag re-push workaround surfaced when v0.7.0
was cut yesterday. Replaces the implicit GITHUB_TOKEN in
release-please.yml with a 1h-TTL installation token minted by
actions/create-github-app-token@v1 for the new
beeping-io-release-please GitHub App.

Closes BEE-2224.

Why

GitHub's recursive-workflow protection blocks tags/pushes made by
GITHUB_TOKEN from triggering further workflow runs. When v0.7.0
landed:

  1. release-please pushed v0.7.0 tag with GITHUB_TOKEN
  2. release.yml (which fires on tags: ['v*']) was suppressed
  3. The GH Release page existed but with 0 assets until a manual
    git push origin --delete v0.7.0 && git push origin v0.7.0
    re-pushed the tag with the user's identity, which fires the workflow

This is unsustainable across the 13 phases of the roadmap. The app
token has its own identity (not GITHUB_TOKEN), so its tag pushes
chain into release.yml automatically.

What changed

  • .github/workflows/release-please.yml — adds an app-token step
    using actions/create-github-app-token@v1 with
    RELEASE_PLEASE_APP_ID + RELEASE_PLEASE_APP_PRIVATE_KEY secrets;
    passes the minted token to googleapis/release-please-action@v4 via
    the token: input.
  • docs/setup/releases.md (new) — full setup procedure (so the
    pattern is replicable to beeping-android, beeping-ios,
    beepbox, beeping-cli, etc. when their pipelines arrive) +
    troubleshooting playbook (Bad credentials, manifest drift,
    manual tag re-push recovery).

Setup state (already done outside this PR)

  • ✅ GitHub App beeping-io-release-please created at the
    beeping-io org, with contents:write + issues:write +
    pull_requests:write repo permissions, no webhook
  • ✅ Private key generated, downloaded as .pem
  • ✅ App installed on beeping-io/beeping-core
  • ✅ Repo secrets RELEASE_PLEASE_APP_ID (App ID numeric) +
    RELEASE_PLEASE_APP_PRIVATE_KEY (full .pem contents) added —
    visible via gh secret list with timestamps 2026-05-08T12:52:30Z
    and 2026-05-08T12:53:09Z

Test plan

  • CI on milestone/phase-1-beeping-core green (Lint + Build & Test
    matrix + sanitizers)
  • After merge to develop → main: first run of release-please.yml
    with the new token configuration runs without auth errors
  • Real validation deferred to the next actual release: when
    release-please opens its next release PR (after BEE-65 or other
    feat: work lands) and that PR is merged, release.yml should
    fire automatically on the tag push without the manual
    git push --delete + git push recovery dance

@alfredrc @claude
feat(ci): BEE-2224 release-please uses GitHub App token
d4b9394 
Tags pushed by the default GITHUB_TOKEN do not trigger downstream
workflows (GitHub's recursive-workflow protection). When v0.7.0 was
cut, release-please pushed v0.7.0 with GITHUB_TOKEN — release.yml
did not fire and the GH Release shipped with 0 assets until a manual
`git push origin --delete v0.7.0 && git push origin v0.7.0` workaround.

Replaces the implicit GITHUB_TOKEN with a 1h-TTL installation token
minted by actions/create-github-app-token@v1 for the new
`beeping-io-release-please` GitHub App. Tag pushes now use the app
identity (not GITHUB_TOKEN), so release.yml fires automatically on
every release-please merge.

* `.github/workflows/release-please.yml` — adds the `app-token` step
  before release-please-action; passes the minted token via the
  `token:` input.
* `docs/setup/releases.md` (new) — full setup procedure (replicable to
  beeping-android, beeping-ios, beepbox, etc. when their pipelines
  arrive) + troubleshooting playbook (manual tag re-push recovery,
  401/Bad credentials, manifest drift).

The two repo secrets `RELEASE_PLEASE_APP_ID` and
`RELEASE_PLEASE_APP_PRIVATE_KEY` are configured on
`beeping-io/beeping-core`. The app is installed on this repo with
contents/issues/pull-requests write permissions.

Validation deferred to the next real release after this lands —
release-please.yml runs without auth errors will confirm the token,
and the next vX.Y.Z merge will confirm the tag-push trigger fires
release.yml automatically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alfredrc alfredrc merged commit f30b688 into develop May 9, 2026
16 of 18 checks passed
@alfredrc alfredrc deleted the milestone/phase-1-beeping-core branch May 9, 2026 03:23
@alfredrc alfredrc mentioned this pull request May 9, 2026
Merged
3 tasks
@beeping-io-release-please beeping-io-release-please Bot mentioned this pull request May 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alfredrc