Skip to content

ci: use a GitHub App token to authenticate releases#6

Merged
jaissica12 merged 4 commits into
mainfrom
ci/use-github-app-token-for-release
Jun 18, 2026
Merged

ci: use a GitHub App token to authenticate releases#6
jaissica12 merged 4 commits into
mainfrom
ci/use-github-app-token-for-release

Conversation

@jaissica12

@jaissica12 jaissica12 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Switches the release pipeline from authenticating with a long-lived classic PAT
(MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT) to a short-lived GitHub App installation
token, matching the approach used in the rokt-sdk-ios release workflow.

The most recent release run published 1.1.0 to npm successfully but failed at
the final @semantic-release/github step with a 404 on the GitHub Releases API
(POST /repos/mparticle-integrations/.../releases). The PAT had the correct
repo scope but its underlying account lacks access to create releases in this
repo, so the GitHub Release was never created and the branch-sync step was
skipped.

Changes (in .github/workflows/release.yml):

  • Add a Generate GitHub App token step (actions/create-github-app-token) to
    the release and sync-repository jobs, using the
    SDK_RELEASE_GITHUB_APP_ID / SDK_RELEASE_GITHUB_APP_PRIVATE_KEY secrets.
  • Use that token for actions/checkout and as GITHUB_TOKEN for semantic-release
    (which creates the GitHub Release and pushes the tag/release commit).
  • Use the token for the sync-repository checkout that pushes to main/development
    and deletes the release branch.
  • Remove all references to MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT.

create-release-branch is left on the default GITHUB_TOKEN since it only pushes
a new release/* branch, which the built-in token is already allowed to do.

Testing Plan

This is a CI/CD-only change and can't be exercised by unit tests or a PR check,
it only runs in the Release Kit workflow on workflow_dispatch.

Validation will happen on the next release run:

  • Confirm the Generate GitHub App token step succeeds in both jobs.
  • Confirm @semantic-release/github creates the vX.Y.Z GitHub Release (no 404).
  • Confirm the tag + release commit push, and that sync-repository updates
    main/development and deletes the release branch.

A dryRun = true run can sanity-check token generation and version computation,
but it won't exercise the actual GitHub Release creation.

@jaissica12 jaissica12 requested a review from jamesnrokt June 15, 2026 18:36
jamesnrokt
jamesnrokt reviewed Jun 15, 2026
View reviewed changes
Comment thread .github/workflows/release.yml
@jaissica12
ci: create GitHub release via ncipollo instead of the semantic-releas…
72c2945 
…e plugin

Replace @semantic-release/github with explicit GitHub Release creation. The
release steps (resolve version, extract notes, create release) are appended to
the existing sync-repository job so they reuse its App token and main checkout
rather than duplicating them in a separate job.

semantic-release still owns version determination, CHANGELOG, npm publish, and
tagging; only the Release creation moves out into a SHA-pinned action. Because
it runs after the branch sync, a Release-creation failure can no longer fail the
release job or block npm publish, the tag, or the sync. Version is read from the
bumped package.json; notes are extracted from CHANGELOG.md and the dist bundles
are attached.

Pattern adapted from the RoktUXHelper iOS "Release - Publish" workflow
(ffurrer2/extract-release-notes + ncipollo/release-action).
@jaissica12
ci: use ncipollo auto-generated release notes
41b8c21 
Drop the ffurrer2/extract-release-notes step and let ncipollo generate the
release notes via generateReleaseNotes. Simpler, and avoids the CHANGELOG
format mismatch between semantic-release and the Keep-a-Changelog parser.
@jaissica12
ci: trim release-step comments
22bf439
@jaissica12 jaissica12 mentioned this pull request Jun 17, 2026
Closed
@jaissica12 jaissica12 requested a review from jamesnrokt June 17, 2026 20:19
jamesnrokt
jamesnrokt approved these changes Jun 18, 2026
View reviewed changes

@jamesnrokt jamesnrokt left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved and verified the referenced secrets are setup

@jaissica12 jaissica12 merged commit 670531b into main Jun 18, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamesnrokt jamesnrokt jamesnrokt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jaissica12 @jamesnrokt