chore: migrate publish job from PAT to GitHub App authentication#521
chore: migrate publish job from PAT to GitHub App authentication#521mbruzda-splunk wants to merge 1 commit into
Conversation
Replace GH_TOKEN_ADMIN (service account PAT) with a short-lived token generated from GH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY, consistent with how all other jobs in this workflow already authenticate. - Remove GH_TOKEN_ADMIN from the workflow_call secrets block - Add Generate app token step at the start of the publish job - Pass steps.app-token.outputs.token to semantic-release and action-gh-release instead of the PAT Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e1cf250f8f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| secrets: | ||
| GH_TOKEN_ADMIN: | ||
| description: Github admin token | ||
| required: true | ||
| GH_APP_CLIENT_ID: |
There was a problem hiding this comment.
Retain the deprecated secret during the migration
Existing callers that were valid against the previous workflow_call contract must explicitly pass GH_TOKEN_ADMIN, because it was required; once this declaration is removed, GitHub rejects those callers with an undefined-secret workflow validation error before any job runs. This repository documents that workflow updates are automatically applied to consumer repositories (README.md:177), but this commit cannot update their secrets: blocks, so publishing and all other workflow execution will break until every consumer changes in lockstep. Keep GH_TOKEN_ADMIN declared as optional (while leaving it unused) for a compatibility window.
Useful? React with 👍 / 👎.
Summary
GH_TOKEN_ADMIN(service account PAT) from theworkflow_callsecrets — it is no longer accepted by callerspublishjob usingactions/create-github-app-token@v3withGH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY, consistent with every other job in this workflowsteps.app-token.outputs.tokentosplunk/semantic-release-action(git push + tag tomain) andsoftprops/action-gh-release(custom-version releases)Why the PAT didn't work
The
mainbranch ruleset on consumer repos has a bypass actor for thesplunk-ta-helperGitHub App. A PAT from the service account is not the app, so pushes from semantic-release were rejected with 403. The short-lived app token passes the bypass check.Callers must remove
GH_TOKEN_ADMINfrom their secrets blockEnsure
SPLUNK_TA_HELPER_APP_ID/SPLUNK_TA_HELPER_PRIVATE_KEYare set as repo secrets and passed asGH_APP_CLIENT_ID/GH_APP_PRIVATE_KEY.Test plan
mainon a consumer repo and verify thepublishjob completes (semantic-release pushes signed tag + commit without 403)workflow_dispatchwithcustom-versionset and verifyaction-gh-releasecreates the release successfullyGH_TOKEN_ADMINsecret can be removed from consumer repos after adopting this version🤖 Generated with Claude Code