[backport] [ci] Stop using Release App token + bump pnpm/action-setup#1918
Merged
TooTallNate merged 6 commits intoMay 4, 2026
Merged
Conversation
#1785) * ci: upgrade pnpm/action-setup to v6 and read version from package.json Removes hardcoded pnpm version (10.14.0) from all workflows and instead reads the version from the packageManager field in package.json, so CI stays in sync with the version used locally. * ci: update setup-workflow-dev composite action to use pnpm/action-setup@v6 Also removes the pnpm-version input since the action now reads the version from package.json#packageManager. * ci: downgrade pnpm/action-setup to v5 v6 installs pnpm 11 RC/beta, which has a regression (pnpm/pnpm#11264, pnpm/action-setup#225/#227/#228) that causes 'ERR_PNPM_BROKEN_LOCKFILE: expected a single document in the stream' when the project's packageManager pins a 10.x pnpm version. v5 is the latest stable release before v6 and supports reading the version from package.json#packageManager.
The Release App has been temporarily removed. Switch the Release and Backport workflows to use the default GITHUB_TOKEN, and disable the cross-repo Front dispatch workflow until the App is restored. Also add a workflow_dispatch trigger to release.yml so the Version Packages PR can be created/updated manually (since pushes made by GITHUB_TOKEN do not trigger downstream workflow runs).
The repo enforces "Commits must have verified signatures" via an org/enterprise-level ruleset, which blocks unsigned commits pushed via the Git CLI by GITHUB_TOKEN. Switching the changesets action to commitMode: github-api makes commits GPG-signed by GitHub.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Rajlich <n@n8.io>
Contributor
🦋 Changeset detectedLatest commit: 4f56f12 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
🧪 E2E Test Results❌ Some tests failed Summary
❌ Failed Tests🌍 Community Worlds (82 failed)mongodb (10 failed):
redis (7 failed):
turso (65 failed):
Details by Category✅ ▲ Vercel Production
✅ 💻 Local Development
✅ 📦 Local Production
✅ 🐘 Local Postgres
✅ 🪟 Windows
❌ 🌍 Community Worlds
✅ 📋 Other
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Backports CI workflow changes to the stable branch to unblock releases after the Release GitHub App was removed, and aligns pnpm setup with the repo’s pinned pnpm version in package.json.
Changes:
- Remove the “Generate GitHub App Token” dependency from the Release workflow and use
secrets.GITHUB_TOKENinstead; addworkflow_dispatchfor manual release reruns. - Configure
changesets/action@v1to usecommitMode: github-apito satisfy verified-signature branch rules. - Upgrade pnpm setup from
pnpm/action-setup@v3(hardcoded version) to@v5(reads frompackage.json#packageManager) across relevant workflows and thesetup-workflow-devcomposite action.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/tests.yml | Bumps pnpm/action-setup to @v5 in test jobs that set up pnpm directly. |
| .github/workflows/release.yml | Removes App-token generation, switches to secrets.GITHUB_TOKEN, adds workflow_dispatch, and sets commitMode: github-api for Changesets. |
| .github/workflows/dispatch-front-workflow-release-pr.yml | Disables cross-repo dispatch jobs (requires App token) via if: false && ... gating and updates header comment. |
| .github/workflows/debug-windows.yml | Bumps pnpm/action-setup to @v5 for the Windows debug workflow. |
| .github/actions/setup-workflow-dev/action.yml | Removes pnpm-version input and upgrades pnpm setup to pnpm/action-setup@v5. |
| .changeset/backport-release-app-token-removal.md | Adds an (empty-frontmatter) Changeset note documenting the backport/unblock rationale. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Release job on
stableis failing at theGenerate GitHub App Tokenstep because the Release App was temporarily removed:Already fixed on
mainin #1866 + #1867 (and #1785 for the related pnpm/action-setup upgrade). This PR cherry-picks all three tostable.Cherry-picked commits
In order:
ci: upgrade pnpm/action-setup to v5 and read version from package.json #1785 —
ci: upgrade pnpm/action-setup to v5 and read version from package.jsonpnpm/action-setup@v3+ explicitversion: 10.14.0with@v5(readspackageManagerfield frompackage.json, currently pinned at10.20.0)..github/workflows/backport.yml: doesn't exist on stable (main-only file) →git rm..github/workflows/docs-checks.ymland.github/workflows/lint.yml: stable's versions are intentionally stripped to no-op stubs (if: false+- run: true). Kept stable's stub bodies; nothing to upgrade since neither usespnpm/action-setupin those stubs.ci: stop using Release App token in release workflows #1866 —
ci: stop using Release App token in release workflows.github/workflows/release.yml: removes theGenerate GitHub App Tokenstep, switchesGITHUB_TOKENtosecrets.GITHUB_TOKENeverywhere, hardcodes git identity togithub-actions[bot], addsworkflow_dispatchtrigger for manual re-runs..github/workflows/dispatch-front-workflow-release-pr.yml: gates both jobs onif: false &&since the cross-repo dispatch tovercel/frontrequires the App token. (Backport-only filebackport.ymlskipped — doesn't exist on stable.)ci: use GitHub API commit mode for changesets action #1867 —
ci: use GitHub API commit mode for changesets actioncommitMode: github-apito thechangesets/action@v1invocation so commits are GPG-signed via the API (required by org-level branch rulesets that mandate verified signatures on all branches).Plus a small Copilot Autofix on the comment in
dispatch-front-workflow-release-pr.ymlthat drops the reference tobackport.yml(which doesn't exist on stable).Verification
After cherry-pick,
release.ymlis byte-identical tomain:Caveats (carried over from #1866's PR description)
GitHub Actions' default
GITHUB_TOKENdoes not trigger downstream workflow runs:Releaseworkflow won't auto-run. Use theworkflow_dispatchtrigger from the Actions tab to publish.Note on the
Vercel – workbench-tanstack-start-workflowCI failureThis PR's CI will show that deploy as failing — same as #1913 did before — because the workbench app doesn't exist on
stableyet. That's being addressed separately by #1914. The two PRs land independently.