Skip to content

chore: migrate publish job from PAT to GitHub App authentication#521

Open
mbruzda-splunk wants to merge 1 commit into
developfrom
chore/publish-app-auth
Open

chore: migrate publish job from PAT to GitHub App authentication#521
mbruzda-splunk wants to merge 1 commit into
developfrom
chore/publish-app-auth

Conversation

@mbruzda-splunk

Copy link
Copy Markdown
Contributor

Summary

  • Removes GH_TOKEN_ADMIN (service account PAT) from the workflow_call secrets — it is no longer accepted by callers
  • Adds a Generate app token step at the start of the publish job using actions/create-github-app-token@v3 with GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY, consistent with every other job in this workflow
  • Passes steps.app-token.outputs.token to splunk/semantic-release-action (git push + tag to main) and softprops/action-gh-release (custom-version releases)

Why the PAT didn't work

The main branch ruleset on consumer repos has a bypass actor for the splunk-ta-helper GitHub App. A PAT from the service account is not the app, so pushes from semantic-release were rejected with 403. The short-lived app token passes the bypass check.

Callers must remove GH_TOKEN_ADMIN from their secrets block

# remove this line from your workflow
GH_TOKEN_ADMIN: ${{ secrets.GH_TOKEN_ADMIN }}

Ensure SPLUNK_TA_HELPER_APP_ID / SPLUNK_TA_HELPER_PRIVATE_KEY are set as repo secrets and passed as GH_APP_CLIENT_ID / GH_APP_PRIVATE_KEY.

Test plan

  • Trigger a push to main on a consumer repo and verify the publish job completes (semantic-release pushes signed tag + commit without 403)
  • Trigger a workflow_dispatch with custom-version set and verify action-gh-release creates the release successfully
  • Confirm GH_TOKEN_ADMIN secret can be removed from consumer repos after adopting this version

🤖 Generated with Claude Code

Replace GH_TOKEN_ADMIN (service account PAT) with a short-lived token
generated from GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY, consistent with
how all other jobs in this workflow already authenticate.

- Remove GH_TOKEN_ADMIN from the workflow_call secrets block
- Add Generate app token step at the start of the publish job
- Pass steps.app-token.outputs.token to semantic-release and
  action-gh-release instead of the PAT

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mbruzda-splunk
mbruzda-splunk requested a review from a team as a code owner July 17, 2026 09:59

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e1cf250f8f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines 85 to 86
secrets:
GH_TOKEN_ADMIN:
description: Github admin token
required: true
GH_APP_CLIENT_ID:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Retain the deprecated secret during the migration

Existing callers that were valid against the previous workflow_call contract must explicitly pass GH_TOKEN_ADMIN, because it was required; once this declaration is removed, GitHub rejects those callers with an undefined-secret workflow validation error before any job runs. This repository documents that workflow updates are automatically applied to consumer repositories (README.md:177), but this commit cannot update their secrets: blocks, so publishing and all other workflow execution will break until every consumer changes in lockstep. Keep GH_TOKEN_ADMIN declared as optional (while leaving it unused) for a compatibility window.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants