Skip to content

ci: push release bumps via a GitHub App token to satisfy branch protection#30

Merged
andrey-embarklabs merged 1 commit into
NrgXnat:mainfrom
andrey-embarklabs:plt/release-oci-app-token
Jun 16, 2026
Merged

ci: push release bumps via a GitHub App token to satisfy branch protection#30
andrey-embarklabs merged 1 commit into
NrgXnat:mainfrom
andrey-embarklabs:plt/release-oci-app-token

Conversation

@andrey-embarklabs

Copy link
Copy Markdown
Contributor

Why

When #21 merged, release-oci correctly computed the major bump (1.1.0 -> 2.0.0) but failed to push it: main is protected ("changes must be made through a pull request"), so the bump commit was rejected. The tag push isn't gated, so a xnat-2.0.0 tag leaked pointing at an unmerged commit (already cleaned up), and nothing was published.

The default GITHUB_TOKEN / github-actions[bot] is not a clean ruleset bypass actor. A GitHub App is, so this authenticates the push as an App.

What changed

  • Mint an App token with actions/create-github-app-token@v3.2.0 and check out with it, so git push to main authenticates as the App.
  • Attribute the bump commit to the App's bot user.
  • The OCI push still uses the built-in GITHUB_TOKEN, so the App needs only Contents: read-and-write, nothing else.

Verified with actionlint (shellcheck at --severity=error). This is inert until the secrets below exist, and merging it does not trigger a release (release-oci is helm/**-triggered).

Required setup (repo admin, one-off)

  1. Create a GitHub App (org-owned): Contents → Read and write, webhook off, "only on this account".
  2. Install it on NrgXnat/helm-charts.
  3. Add it to the main ruleset's bypass list.
  4. Add two repo secrets:
    • RELEASE_APP_CLIENT_ID = the App's Client ID (from the App's General page, not the numeric App ID)
    • RELEASE_APP_PRIVATE_KEY = the generated private key (full .pem contents)

To publish 2.0.0 after setup

Run release-oci via workflow_dispatch. With the xnat-2.0.0 tag already removed, it recomputes the #21 commits (1.1.0 -> 2.0.0, major), commits the bump to main, tags xnat-2.0.0, and pushes the OCI artifact to GHCR. Then set the new package's visibility to Public and link it to this repo.

…ction

The auto-bump commit is pushed back to main, which the branch ruleset
rejects for the default github-actions bot. Authenticate the push as a
GitHub App (a first-class ruleset bypass actor) via create-github-app-token.
The OCI push still uses GITHUB_TOKEN, so the App needs only Contents: write.
Requires secrets RELEASE_APP_CLIENT_ID and RELEASE_APP_PRIVATE_KEY and the
App on the ruleset bypass list.
@andrey-embarklabs andrey-embarklabs merged commit cb7cb50 into NrgXnat:main Jun 16, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant