ci(release): mint App token so release PR triggers required checks#2351
Merged
Conversation
The Changesets "chore: release package" PR was opened by the default GITHUB_TOKEN. GitHub suppresses workflow triggers for events created by that token (its recursion guard), so the pull_request_target-based `IPR Policy / Signature` check (ipr-agreement.yml) never fired on the release PR. That check is required on main, leaving every release PR BLOCKED on "Expected — Waiting for status to be reported" and mergeable only by an admin bypass. Mint an AAO IPR Bot installation token (IPR_APP_ID / IPR_APP_PRIVATE_KEY, already used by ai-review.yml and ipr-agreement.yml) and use it for both the checkout and the changesets step. Events authored by the App identity are not suppressed, so downstream required checks fire and the release PR is born mergeable. The AAO IPR Bot App is installed on adcp-client with Contents: write and Pull requests: write (per adcp/governance/ipr-bot-setup.md), which is exactly what the changesets branch push + PR open need. Mirrors the adcp-client-python release-please.yml pattern. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Approving. Swapping the default GITHUB_TOKEN for an App installation token is the correct fix for the recursion-guard trap — App-identity events aren't suppressed, so the required IPR Policy / Signature check fires and the release PR is born mergeable instead of BLOCKED behind an admin bypass.
Things I checked
.github/-only, no changeset needed. Single file,release.yml, 17/−1. Nothing undersrc/lib/,bin/, orpackage.json'sfilesfield — MUST FIX #5 does not apply. Changeset-check job correctly passes.- App-token pattern is consistent with the repo.
create-github-app-token@v1withIPR_APP_ID/IPR_APP_PRIVATE_KEYalready ships inai-review.yml:69-72; the same org secrets driveipr-agreement.yml:22-23. No new secret provisioning, no admin handoff. Matches the PR body's claim. - npm publish path is untouched.
id-token: writeis preserved (release.yml:27) and the publish runs on OIDC trusted publishing +NPM_CONFIG_PROVENANCE: true, notGITHUB_TOKEN. Swapping the changesetsenv.GITHUB_TOKENat L69 only re-attributes the branch push, PR open, git tag, and GitHub release — exactly what needs a non-default identity. The@adcp/clientdeprecate note at L56-61 is unaffected. - App permissions cover the operation. Contents: R&W + Pull requests: Write is what checkout + changesets branch-push + PR-open require. Right shape.
Follow-ups (non-blocking — file as issues)
- The fix is forward-only, as the PR body states — #2348 stays stuck until an admin merges or reopens it. Worth a one-line note in the release runbook so the next person doesn't wait on the workflow to unstick a PR opened under the old token.
The PR body predicts Argus won't review a workflow file. Noted, and reviewed anyway.
LGTM.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
.github/workflows/release.ymlrunschangesets/action@v1withGITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. GitHub suppresses workflow triggers for events created by the defaultGITHUB_TOKEN(its recursion guard), so the bot-opened "chore: release package" PR never fires thepull_request_target-based IPR Policy / Signature check (.github/workflows/ipr-agreement.yml).That check is a required status check on
main(the "ipr policy" ruleset), so every release PR sits BLOCKED on "Expected — Waiting for status to be reported" and can only be merged by an admin bypass. PR #2348 is currently stuck this way.Fix
Mint an AAO IPR Bot installation token (
IPR_APP_ID/IPR_APP_PRIVATE_KEY) and use it for both the checkout and the changesets step, instead of the defaultGITHUB_TOKEN. The release PR is then attributed to the App identity, whose events do trigger downstream workflows — so the IPR check fires and the PR is born mergeable.Mirrors the two in-org reference implementations:
adcontextprotocol/adcp→.github/workflows/release.yml(same changesets flow; usesRELEASE_APP_ID/RELEASE_APP_PRIVATE_KEY).adcontextprotocol/adcp-client-python→.github/workflows/release-please.yml(usesIPR_APP_ID/IPR_APP_PRIVATE_KEY).Which App / prerequisite verification
Verified before wiring (I only have
WRITE, not admin, so this was the key check):IPR_APP_*andSECRETARIAT_APP_*(noRELEASE_APP_*— that App is scoped toadcponly).adcp/governance/ipr-bot-setup.mddocuments the AAO IPR Bot App's repository permissions as Contents: Read & write + Pull requests: Write, and listsadcontextprotocol/adcp-clientin its installation scope. GitHub App permissions are App-wide, so this is exactly what the changesets branch-push + PR-open need.ai-review.ymlandipr-agreement.yml, and drive the siblingadcp-client-pythonrelease flow. No admin handoff required.I used
create-github-app-token@v1to match this repo's existing usage inai-review.yml(rather than@v3from the task text) so the two workflows stay consistent.Scope / notes
.github/-only change → no changeset needed (the changeset-check job passes).Verification
npm run lint:workflows→ passed for 16 files.🤖 Generated with Claude Code