Skip to content

ci(release): use client-id for the tap-token GitHub App#1285

Merged
mstykow merged 1 commit into
mainfrom
fix/release-app-token-client-id
Jul 15, 2026
Merged

ci(release): use client-id for the tap-token GitHub App#1285
mstykow merged 1 commit into
mainfrom
fix/release-app-token-client-id

Conversation

@mstykow

@mstykow mstykow commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • actions/create-github-app-token deprecated the app-id input in favor of client-id; the v0.2.6 release run surfaced this as a warning on the Bump Homebrew formula job.
  • Switch the tap-token step in release.yml to pass the GitHub App's Client ID via the new RELEASE_BOT_CLIENT_ID secret, and update the neighboring comment to match.

Scope and exclusions

  • Included: the single tap-token step in the bump-homebrew job.
  • Explicit exclusions: no other action inputs or jobs changed. The RELEASE_BOT_CLIENT_ID secret has already been provisioned by the maintainer.

How to verify

  • Config-only change to a release-gated job. It cannot run on this PR (the bump-homebrew job only fires on stable tag pushes to getprovenant/provenant), so the real signal is the next stable release: the app-id deprecation warning should be gone and the tap-token step should still mint a valid token.

Follow-up work

  • The remaining v0.2.6 release warnings are non-actionable: the macOS aws/tap trust notices are runner-image noise, and the container-image artifact-metadata/no artifacts found warning is a benign message from the latest attest-build-provenance when attesting an OCI image (the attestation itself succeeds).

actions/create-github-app-token deprecated `app-id` in favor of
`client-id`; switch the Homebrew tap-token step to the App's Client ID
(RELEASE_BOT_CLIENT_ID) to clear the deprecation warning.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Maxim Stykow <maxim.stykow@gmail.com>
@mstykow
mstykow merged commit 66d9e26 into main Jul 15, 2026
19 checks passed
@mstykow
mstykow deleted the fix/release-app-token-client-id branch July 15, 2026 19:57
@greptile-apps

greptile-apps Bot commented Jul 15, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates the bump-homebrew job in release.yml to pass the GitHub App's Client ID via the new client-id input (and the matching RELEASE_BOT_CLIENT_ID secret), replacing the deprecated app-id input and RELEASE_BOT_APP_ID secret used by actions/create-github-app-token.

  • Swaps app-id: ${{ secrets.RELEASE_BOT_APP_ID }} for client-id: ${{ secrets.RELEASE_BOT_CLIENT_ID }} in the tap-token step, resolving the deprecation warning surfaced in the v0.2.6 release run.
  • Updates the inline comment above the step to reference the new secret name, keeping documentation in sync.

Confidence Score: 5/5

Safe to merge — this is a one-input rename in a release-gated job with no logic changes.

The change touches a single step in a job that only fires on stable tag pushes. It replaces a deprecated input name with its successor, the action's pinned SHA is unchanged, and no other workflow files reference the old secret. The new secret has already been provisioned, so the only observable effect at the next stable release will be the absence of the deprecation warning.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/release.yml Minimal, targeted update: replaces the deprecated app-id input and RELEASE_BOT_APP_ID secret with client-id and RELEASE_BOT_CLIENT_ID in the bump-homebrew job's tap-token step. The action is still pinned to the same commit SHA, and no other steps or jobs are affected.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant W as bump-homebrew job
    participant A as actions/create-github-app-token
    participant GH as GitHub API

    W->>A: client-id (RELEASE_BOT_CLIENT_ID) + private-key (RELEASE_BOT_PRIVATE_KEY)
    A->>GH: Authenticate as GitHub App
    GH-->>A: Short-lived installation token (scoped to homebrew-tap)
    A-->>W: steps.tap_token.outputs.token
    W->>GH: Checkout getprovenant/homebrew-tap using minted token
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant W as bump-homebrew job
    participant A as actions/create-github-app-token
    participant GH as GitHub API

    W->>A: client-id (RELEASE_BOT_CLIENT_ID) + private-key (RELEASE_BOT_PRIVATE_KEY)
    A->>GH: Authenticate as GitHub App
    GH-->>A: Short-lived installation token (scoped to homebrew-tap)
    A-->>W: steps.tap_token.outputs.token
    W->>GH: Checkout getprovenant/homebrew-tap using minted token
Loading

Reviews (1): Last reviewed commit: "ci(release): use client-id for the tap-t..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant