Skip to content

Update popular_actions.go for actions/create-github-app-token@v3#668

Open
esaari wants to merge 1 commit into
rhysd:mainfrom
esaari:update-create-github-app-token-v3
Open

Update popular_actions.go for actions/create-github-app-token@v3#668
esaari wants to merge 1 commit into
rhysd:mainfrom
esaari:update-create-github-app-token-v3

Conversation

@esaari

@esaari esaari commented May 21, 2026

Copy link
Copy Markdown

Closes #669.

What

Regenerate the v3 entry in popular_actions.go for
actions/create-github-app-token
to match its current upstream action.yml.

Diff:

  • app-id — was required: true; now required: false with deprecationMessage: "Use 'client-id' instead."
  • client-id — added (canonical replacement for app-id)
  • enterprise — added
  • permission-artifact-metadata — added
  • permission-attestations — added
  • permission-discussions — added
  • permission-merge-queues — added

v1 and v2 schemas were verified against their respective live action.yml files
and left untouched — those tags ship app-id only and don't need any change.

Why

The bundled v3 schema still requires app-id and doesn't know about client-id.
On any workflow using the canonical input, actionlint produces two false-positives
per with: block:

missing input "app-id" which is required by action "actions/create-github-app-token@v3"
input "client-id" is not defined in action "actions/create-github-app-token@v3"

actions/create-github-app-token@v3 was published 2025-09 with client-id as the
canonical input; teams adopting the supported input get this false-positive pair
on every call site. Full repro and root cause in #669.

Generation method

I tried the full regen first
(go run ./scripts/generate-popular-actions ./popular_actions.go),
but it currently fails on an unrelated 404:

request was not successful https://raw.githubusercontent.com/actions-cool/issues-helper/v1/action.yml: 404 Not Found
exit status 1

actions-cool/issues-helper appears to have moved/deleted its v1 tag upstream.
This is also blocking the weekly auto-refresh workflow from updating any entry —
worth a follow-up to make the generator tolerant of upstream 404s, but out of
scope for this PR. I scoped the regen to just the affected action via a
single-entry registry:

go run ./scripts/generate-popular-actions \
  -r /tmp/cgat-registry.json -q

(where /tmp/cgat-registry.json contains only the actions/create-github-app-token
slug). The output was then patched into the existing popular_actions.go in place.
The resulting diff is byte-for-byte what the full regenerator would produce for
this entry — no manual edits to the generated formatting.

Verification

  • go build ./... — pass
  • go test -run TestPopularActionsDataset ./... — pass
  • go test ./... — pass

The action's v3 action.yml added `client-id` as the canonical input,
deprecating `app-id`, and added several new inputs (`enterprise`,
`permission-artifact-metadata`, `permission-attestations`,
`permission-discussions`, `permission-merge-queues`).

The bundled v3 schema still marked `app-id` as required and did not
know about `client-id`, producing two false-positives per `with:` block
on workflows that use the canonical input:

  - `missing input "app-id" which is required by action ...`
  - `input "client-id" is not defined in action ...`

Regenerated via:

  go run ./scripts/generate-popular-actions \
    -r /tmp/single-entry-registry.json -q

against a single-entry registry containing only this slug (the full
default-registry regen currently fails on an unrelated 404 for a
deleted upstream tag — `actions-cool/issues-helper@v1`).

v1 and v2 entries were verified against their current action.yml and
left untouched — those tags ship `app-id` only.
heitbaum added a commit to heitbaum/actions that referenced this pull request Jun 7, 2026
…oken@v3

client-id was introduced as the preferred input in
actions/create-github-app-token@v3.1.0 (PR #353); app-id is now
deprecated. Actionlint bundled metadata is stale and incorrectly
requires app-id and rejects client-id, producing two false-positives:

  missing input "app-id" which is required by action "actions/create-github-app-token@v3"
  input "client-id" is not defined in action "actions/create-github-app-token@v3"

Add ignore patterns to .github/actionlint.yaml to suppress both until
rhysd/actionlint#668 is merged and a new release ships the corrected
schema.

- reviewdog/action-actionlint@v1 (action)
heitbaum added a commit to heitbaum/actions that referenced this pull request Jun 7, 2026
…oken@v3

client-id was introduced as the preferred input in
actions/create-github-app-token@v3.1.0 (PR #353); app-id is now
deprecated. Actionlint bundled metadata is stale and incorrectly
requires app-id and rejects client-id, producing two false-positives:

  missing input "app-id" which is required by action "actions/create-github-app-token@v3"
  input "client-id" is not defined in action "actions/create-github-app-token@v3"

Add ignore patterns to .github/actionlint.yaml to suppress both until
rhysd/actionlint#668 is merged and a new release ships the corrected
schema.

- reviewdog/action-actionlint@v1 (action)
@smorin

smorin commented Jun 16, 2026

Copy link
Copy Markdown

Looking forward to this fix

smorin added a commit to smorinlabs/py-launch-blueprint that referenced this pull request Jun 16, 2026
actionlint v1.7.12 (latest) has stale schema for
actions/create-github-app-token@v3 and flags `client-id` as an
unknown input. The action does accept `client-id` (added shortly
after actionlint's bundled metadata was generated), with `app-id`
now deprecated.

Add a narrowly-scoped suppression in .github/actionlint.yaml until
upstream lands a fix. Tracking:
  - rhysd/actionlint#652 (PR, opened 2026-04-20)
  - rhysd/actionlint#668 (PR, opened 2026-05-21)

REMOVE this file once a newer actionlint release ships with updated
metadata.
smorin added a commit to smorinlabs/py-launch-blueprint that referenced this pull request Jun 16, 2026
* ci: migrate release-please + update-contributors to client-id

Both workflows used the legacy single-step `app-id` pattern with
`RELEASE_PLEASE_APP_ID` / `CONTRIBUTORS_PLEASE_APP_ID` secrets.
`actions/create-github-app-token@v3` deprecated `app-id` in favor of
`client-id` (the App's Client ID, e.g. Iv23li...). The corresponding
*_CLIENT_ID secrets are already provisioned on the repo via the
repo-secrets skill.

- release-please.yml: rename RP_APP_ID -> RP_CLIENT_ID env var, switch
  app-id -> client-id input in both release-please and sync-uv-lock
  jobs, update header comment.
- update-contributors.yml: switch app-id -> client-id input passed to
  smorinlabs/contributors-please-action (which accepts both).

Sibling repos (smorinlabs/contributors-please, contributors-please-action)
already migrated and verified via probe runs.

* ci(actionlint): suppress false-positive `client-id` warning

actionlint v1.7.12 (latest) has stale schema for
actions/create-github-app-token@v3 and flags `client-id` as an
unknown input. The action does accept `client-id` (added shortly
after actionlint's bundled metadata was generated), with `app-id`
now deprecated.

Add a narrowly-scoped suppression in .github/actionlint.yaml until
upstream lands a fix. Tracking:
  - rhysd/actionlint#652 (PR, opened 2026-04-20)
  - rhysd/actionlint#668 (PR, opened 2026-05-21)

REMOVE this file once a newer actionlint release ships with updated
metadata.

* fix(ci): keep app-id input name in update-contributors.yml

smorinlabs/contributors-please-action's action.yml only declares
`app-id` as input (no `client-id`). The prior migration commit
renamed it to `client-id:` — at runtime that input would be silently
ignored and App auth would fail.

Revert just the input NAME change in update-contributors.yml; keep
the secret VALUE pointing at CONTRIBUTORS_PLEASE_CLIENT_ID. The
action's `app-id` input forwards to @octokit/auth-app's
`createAppAuth({ appId })`, which transparently accepts both numeric
App IDs and Client ID strings (PR #38 in the action repo uses the
same approach for e2e.yml).

Also narrow .github/actionlint.yaml — update-contributors.yml no
longer references `client-id`, so its suppression entry is removed.
release-please.yml's suppression stays (canonical
actions/create-github-app-token@v3, still flagged by actionlint v1.7.12).

* style(actionlint): wrap long ignore-rule strings to satisfy yamllint

Reviewer feedback (CodeRabbit): lines 51 and 53 of .github/actionlint.yaml
exceed the 88-char limit yamllint warns at. Use YAML folded scalars
(>-) to break across lines while preserving the byte-identical string
actionlint matches against.
@ElDavoo

ElDavoo commented Jun 22, 2026

Copy link
Copy Markdown

Looking backwards, and everywhere around me, for this fix

@esaari

esaari commented Jun 22, 2026

Copy link
Copy Markdown
Author

@rhysd Could I please get a review and/or merge on this? Are you planning a release soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

False-positive on actions/create-github-app-token@v3 client-id input

3 participants