Skip to content

ci: use a GitHub App token to authenticate releases #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jaissica12 merged 4 commits into from
Jun 18, 2026
+41 −15
Merged

ci: use a GitHub App token to authenticate releases #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9b5f0fa
ci: use a GitHub App token to authenticate releases
jaissica12 Jun 15, 2026
72c2945
ci: create GitHub release via ncipollo instead of the semantic-releas…
jaissica12 Jun 17, 2026
41b8c21
ci: use ncipollo auto-generated release notes
jaissica12 Jun 17, 2026
22bf439
ci: trim release-step comments
jaissica12 Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 41 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,21 +76,28 @@ jobs:
id-token: write # Required for OIDC authentication with npm

env:
GITHUB_TOKEN: ${{ secrets.MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT }}
GIT_AUTHOR_NAME: mparticle-automation
GIT_AUTHOR_EMAIL: developers@mparticle.com
GIT_COMMITTER_NAME: mparticle-automation
GIT_COMMITTER_EMAIL: developers@mparticle.com
# npm auth: no trusted publisher is configured on npmjs for this package,
# so publish authenticates with the org token (provenance still attested via OIDC).
# npm auth: publish authenticates via OIDC trusted publishing; the token
# remains as a fallback (provenance is still attested via OIDC).
NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

steps:
- name: Generate GitHub App token
id: app_token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SDK_RELEASE_GITHUB_APP_ID }}
private-key: ${{ secrets.SDK_RELEASE_GITHUB_APP_PRIVATE_KEY }}

- name: Checkout public main branch
uses: actions/checkout@v6
with:
fetch-depth: 0
ref: main
token: ${{ steps.app_token.outputs.token }}

- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v4
Expand All @@ -117,10 +124,14 @@ jobs:

- name: Release --dry-run
if: ${{ github.event.inputs.dryRun == 'true'}}
env:
GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
npx semantic-release --dry-run
- name: Release
if: ${{ github.event.inputs.dryRun == 'false'}}
env:
GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
npx semantic-release
Comment thread
jaissica12 marked this conversation as resolved.
- name: Archive npm failure logs
Expand All @@ -138,13 +149,22 @@ jobs:
name: Sync repositories
needs: release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Generate GitHub App token
id: app_token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.SDK_RELEASE_GITHUB_APP_ID }}
private-key: ${{ secrets.SDK_RELEASE_GITHUB_APP_PRIVATE_KEY }}

- name: Checkout main branch
uses: actions/checkout@v6
with:
fetch-depth: 0
repository: ${{ github.repository }}
token: ${{ secrets.MP_INTEGRATIONS_SEMANTIC_RELEASE_BOT }}
token: ${{ steps.app_token.outputs.token }}
ref: main

- name: Merge release branch into main branch
Expand All @@ -160,3 +180,20 @@ jobs:
if: ${{ github.event.inputs.dryRun == 'false' }}
run: |
git push --delete origin release/${{ github.run_number }}

# Runs last so a Release failure can't block npm publish, the tag, or the sync.
- name: Resolve released version
id: version
if: ${{ github.event.inputs.dryRun == 'false' }}
run: echo "release-version=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"

- name: Create GitHub release
if: ${{ github.event.inputs.dryRun == 'false' }}
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
makeLatest: true
allowUpdates: true
generateReleaseNotes: true
tag: ${{ steps.version.outputs.release-version }}
artifacts: 'dist/RoktPayPlus-Kit.common.js,dist/RoktPayPlus-Kit.esm.js,dist/RoktPayPlus-Kit.iife.js,dist/RoktPayPlus-Kit.d.ts'
token: ${{ steps.app_token.outputs.token }}
11 changes: 0 additions & 11 deletions release.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,17 +46,6 @@ module.exports = {
publishCmd: 'npm publish',
},
],
[
'@semantic-release/github',
{
assets: [
'dist/RoktPayPlus-Kit.common.js',
'dist/RoktPayPlus-Kit.esm.js',
'dist/RoktPayPlus-Kit.iife.js',
'dist/RoktPayPlus-Kit.d.ts',
],
},
],
[
'@semantic-release/git',
{
Expand Down
Loading