[backport] [ci] Stop using Release App token + bump pnpm/action-setup#1913
Merged
TooTallNate merged 5 commits intoMay 4, 2026
Conversation
🦋 Changeset detectedLatest commit: 41047e5 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
Contributor
🧪 E2E Test Results❌ Some tests failed Summary
❌ Failed Tests▲ Vercel Production (1 failed)vite (1 failed):
Details by Category❌ ▲ Vercel Production
✅ 🪟 Windows
❌ Some E2E test jobs failed:
Check the workflow run for details. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Backports CI workflow updates to the stable branch to unblock releases after the “Release App” GitHub App was removed, by eliminating the dependency on an App-generated token and aligning pnpm setup with the repo’s pinned pnpm version in package.json.
Changes:
- Remove the “Generate GitHub App Token” step from the release workflow and switch all auth to
secrets.GITHUB_TOKEN, addingworkflow_dispatchfor manual release reruns. - Configure
changesets/action@v1to usecommitMode: github-apito satisfy “verified signature required” branch rules. - Bump
pnpm/action-setupfromv3tov5(and stop hardcoding pnpm version) across affected workflows and thesetup-workflow-devcomposite action.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tests.yml | Updates pnpm setup to pnpm/action-setup@v5 in jobs that install pnpm directly. |
| .github/workflows/release.yml | Removes GitHub App token usage, adds manual dispatch trigger, uses GitHub API commit mode for signed commits, and upgrades pnpm setup. |
| .github/workflows/dispatch-front-workflow-release-pr.yml | Disables cross-repo dispatch jobs (still present but gated behind if: false &&). |
| .github/workflows/debug-windows.yml | Upgrades pnpm setup to pnpm/action-setup@v5. |
| .github/actions/setup-workflow-dev/action.yml | Removes the pnpm-version input and upgrades pnpm setup to pnpm/action-setup@v5. |
| .changeset/backport-release-app-token-removal.md | Adds a changeset note describing the backported CI changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
#1785) * ci: upgrade pnpm/action-setup to v6 and read version from package.json Removes hardcoded pnpm version (10.14.0) from all workflows and instead reads the version from the packageManager field in package.json, so CI stays in sync with the version used locally. * ci: update setup-workflow-dev composite action to use pnpm/action-setup@v6 Also removes the pnpm-version input since the action now reads the version from package.json#packageManager. * ci: downgrade pnpm/action-setup to v5 v6 installs pnpm 11 RC/beta, which has a regression (pnpm/pnpm#11264, pnpm/action-setup#225/#227/#228) that causes 'ERR_PNPM_BROKEN_LOCKFILE: expected a single document in the stream' when the project's packageManager pins a 10.x pnpm version. v5 is the latest stable release before v6 and supports reading the version from package.json#packageManager.
The Release App has been temporarily removed. Switch the Release and Backport workflows to use the default GITHUB_TOKEN, and disable the cross-repo Front dispatch workflow until the App is restored. Also add a workflow_dispatch trigger to release.yml so the Version Packages PR can be created/updated manually (since pushes made by GITHUB_TOKEN do not trigger downstream workflow runs).
The repo enforces "Commits must have verified signatures" via an org/enterprise-level ruleset, which blocks unsigned commits pushed via the Git CLI by GITHUB_TOKEN. Switching the changesets action to commitMode: github-api makes commits GPG-signed by GitHub.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Rajlich <n@n8.io>
TooTallNate
force-pushed
the
nate/backport-release-app-token-removal-stable
branch
from
6aa4c2c to
41047e5
Compare
TooTallNate
changed the base branch from
stable
to
peter/backport-tanstack-start-1875-1907
TooTallNate
merged commit 0c4f962
into
peter/backport-tanstack-start-1875-1907
9 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Release job on
stableis failing at theGenerate GitHub App Tokenstep because the Release App was temporarily removed:This was already addressed on
mainin #1866 + #1867 (and #1785 for the related pnpm/action-setup upgrade), but the changes were never backported tostable. This PR cherry-picks all three.Example failing run: https://github.com/vercel/workflow/actions/runs/25303132457/job/74173639841
Cherry-picked commits
In order:
ci: upgrade pnpm/action-setup to v5 and read version from package.json #1785 —
ci: upgrade pnpm/action-setup to v5 and read version from package.jsonpnpm/action-setup@v3+ explicitversion: 10.14.0with@v5(readspackageManagerfield frompackage.json, currently pinned at10.20.0)..github/workflows/backport.yml: doesn't exist on stable (main-only file) →git rm..github/workflows/docs-checks.ymland.github/workflows/lint.yml: stable's versions are intentionally stripped to no-op stubs (if: false+- run: true). Kept stable's stub bodies; nothing to upgrade since neither usespnpm/action-setupin those stubs.ci: stop using Release App token in release workflows #1866 —
ci: stop using Release App token in release workflows.github/workflows/release.yml: removes theGenerate GitHub App Tokenstep, switchesGITHUB_TOKENtosecrets.GITHUB_TOKENeverywhere, hardcodes git identity togithub-actions[bot], addsworkflow_dispatchtrigger for manual re-runs..github/workflows/dispatch-front-workflow-release-pr.yml: gates both jobs onif: false &&since the cross-repo dispatch tovercel/frontrequires the App token. (Backport-only filebackport.ymlskipped — doesn't exist on stable.)ci: use GitHub API commit mode for changesets action #1867 —
ci: use GitHub API commit mode for changesets actioncommitMode: github-apito thechangesets/action@v1invocation so commits are GPG-signed via the API (required by org-level branch rulesets that mandate verified signatures on all branches).Verification
After cherry-pick,
release.ymlis byte-identical tomain:Other touched files (
debug-windows.yml,tests.yml,setup-workflow-dev/action.yml) have remaining diffs vs main but those are pre-existing stable-vs-main divergences (e.g., stable'stests.ymltriggers on bothmainandstablebranches; main'ssetup-workflow-devhas a newercache-pnpminput added by an unrelated PR). None of those are in scope for the App token fix.dispatch-front-workflow-release-pr.ymlhas a separate divergence in thewait-for-vercel-projectaction API shape (stable uses the olderteam-id/project-id/vercel-tokenform, main uses the newerproject-slugform) — but both versions are now fully disabled viaif: false, so the inner divergence doesn't matter until the App is restored.Caveats (carried over from #1866's PR description)
GitHub Actions' default
GITHUB_TOKENdoes not trigger downstream workflow runs:Releaseworkflow won't auto-run. Use theworkflow_dispatchtrigger from the Actions tab to publish.