Skip to content

ci(release): mint App token so release PR triggers required checks#2351

Merged
andybevan-scope3 merged 1 commit into
mainfrom
abevan/release-workflow-app-token
Jul 9, 2026
Merged

ci(release): mint App token so release PR triggers required checks#2351
andybevan-scope3 merged 1 commit into
mainfrom
abevan/release-workflow-app-token

Conversation

@andybevan-scope3

Copy link
Copy Markdown
Collaborator

Problem

.github/workflows/release.yml runs changesets/action@v1 with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. GitHub suppresses workflow triggers for events created by the default GITHUB_TOKEN (its recursion guard), so the bot-opened "chore: release package" PR never fires the pull_request_target-based IPR Policy / Signature check (.github/workflows/ipr-agreement.yml).

That check is a required status check on main (the "ipr policy" ruleset), so every release PR sits BLOCKED on "Expected — Waiting for status to be reported" and can only be merged by an admin bypass. PR #2348 is currently stuck this way.

Fix

Mint an AAO IPR Bot installation token (IPR_APP_ID / IPR_APP_PRIVATE_KEY) and use it for both the checkout and the changesets step, instead of the default GITHUB_TOKEN. The release PR is then attributed to the App identity, whose events do trigger downstream workflows — so the IPR check fires and the PR is born mergeable.

Mirrors the two in-org reference implementations:

  • adcontextprotocol/adcp.github/workflows/release.yml (same changesets flow; uses RELEASE_APP_ID/RELEASE_APP_PRIVATE_KEY).
  • adcontextprotocol/adcp-client-python.github/workflows/release-please.yml (uses IPR_APP_ID/IPR_APP_PRIVATE_KEY).

Which App / prerequisite verification

Verified before wiring (I only have WRITE, not admin, so this was the key check):

  • The org secrets available to this repo are IPR_APP_* and SECRETARIAT_APP_* (no RELEASE_APP_* — that App is scoped to adcp only).
  • adcp/governance/ipr-bot-setup.md documents the AAO IPR Bot App's repository permissions as Contents: Read & write + Pull requests: Write, and lists adcontextprotocol/adcp-client in its installation scope. GitHub App permissions are App-wide, so this is exactly what the changesets branch-push + PR-open need.
  • Same secrets are already used on this repo by ai-review.yml and ipr-agreement.yml, and drive the sibling adcp-client-python release flow. No admin handoff required.

I used create-github-app-token@v1 to match this repo's existing usage in ai-review.yml (rather than @v3 from the task text) so the two workflows stay consistent.

Scope / notes

  • .github/-only change → no changeset needed (the changeset-check job passes).
  • Because it modifies a workflow file, Argus won't auto-review it — a human merges.
  • This fixes future release PRs. It does not unstick the current chore: release package #2348 — that still needs an admin to merge or reopen it.

Verification

  • npm run lint:workflows → passed for 16 files.
  • YAML parses; release steps: Mint release bot token | Checkout Repo | Setup Node.js | Install Dependencies | Build | Create Release Pull Request or Publish to npm.

🤖 Generated with Claude Code

The Changesets "chore: release package" PR was opened by the default
GITHUB_TOKEN. GitHub suppresses workflow triggers for events created by
that token (its recursion guard), so the pull_request_target-based
`IPR Policy / Signature` check (ipr-agreement.yml) never fired on the
release PR. That check is required on main, leaving every release PR
BLOCKED on "Expected — Waiting for status to be reported" and mergeable
only by an admin bypass.

Mint an AAO IPR Bot installation token (IPR_APP_ID / IPR_APP_PRIVATE_KEY,
already used by ai-review.yml and ipr-agreement.yml) and use it for both
the checkout and the changesets step. Events authored by the App identity
are not suppressed, so downstream required checks fire and the release PR
is born mergeable.

The AAO IPR Bot App is installed on adcp-client with Contents: write and
Pull requests: write (per adcp/governance/ipr-bot-setup.md), which is
exactly what the changesets branch push + PR open need. Mirrors the
adcp-client-python release-please.yml pattern.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@aao-ipr-bot aao-ipr-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving. Swapping the default GITHUB_TOKEN for an App installation token is the correct fix for the recursion-guard trap — App-identity events aren't suppressed, so the required IPR Policy / Signature check fires and the release PR is born mergeable instead of BLOCKED behind an admin bypass.

Things I checked

  • .github/-only, no changeset needed. Single file, release.yml, 17/−1. Nothing under src/lib/, bin/, or package.json's files field — MUST FIX #5 does not apply. Changeset-check job correctly passes.
  • App-token pattern is consistent with the repo. create-github-app-token@v1 with IPR_APP_ID/IPR_APP_PRIVATE_KEY already ships in ai-review.yml:69-72; the same org secrets drive ipr-agreement.yml:22-23. No new secret provisioning, no admin handoff. Matches the PR body's claim.
  • npm publish path is untouched. id-token: write is preserved (release.yml:27) and the publish runs on OIDC trusted publishing + NPM_CONFIG_PROVENANCE: true, not GITHUB_TOKEN. Swapping the changesets env.GITHUB_TOKEN at L69 only re-attributes the branch push, PR open, git tag, and GitHub release — exactly what needs a non-default identity. The @adcp/client deprecate note at L56-61 is unaffected.
  • App permissions cover the operation. Contents: R&W + Pull requests: Write is what checkout + changesets branch-push + PR-open require. Right shape.

Follow-ups (non-blocking — file as issues)

  • The fix is forward-only, as the PR body states — #2348 stays stuck until an admin merges or reopens it. Worth a one-line note in the release runbook so the next person doesn't wait on the workflow to unstick a PR opened under the old token.

The PR body predicts Argus won't review a workflow file. Noted, and reviewed anyway.

LGTM.

@andybevan-scope3 andybevan-scope3 merged commit 96a08ad into main Jul 9, 2026
31 checks passed
@andybevan-scope3 andybevan-scope3 deleted the abevan/release-workflow-app-token branch July 9, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant