Skip to content

ci: introduce release app to restore main branch protection #2439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dunglas merged 2 commits into from
May 21, 2026
+12 −9
Merged

ci: introduce release app to restore main branch protection #2439

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
67453c2
ci: introduce release app to restore main branch protection
dunglas May 21, 2026
7987a9b
ci: address copilot review on release app PR
dunglas May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,7 @@ on:
description: "Version to release (e.g. 1.5.0, no v prefix)"
required: true
type: string
permissions:
contents: write
# Needed to dispatch the downstream binary build workflows from this run.
actions: write
permissions: {}
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
Expand All @@ -42,10 +39,16 @@ jobs:
echo "::error::release.yaml must be dispatched against refs/heads/main, got ${GITHUB_REF}"
exit 1
fi
- uses: actions/create-github-app-token@v3
id: release-app-token
with:
app-id: ${{ vars.RELEASE_APP_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
- uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
token: ${{ steps.release-app-token.outputs.token }}
- name: Classify release
id: classify
env:
Expand All @@ -61,7 +64,7 @@ jobs:
- name: Determine release state
id: state
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.release-app-token.outputs.token }}
VERSION: ${{ inputs.version }}
# Tag existence is the source of truth for "release in progress":
# main HEAD may have moved past the release commit (a follow-up fix
Expand Down Expand Up @@ -140,9 +143,9 @@ jobs:
go mod tidy
- name: Commit and tag via GitHub API
# API-created commits/tags are signed server-side with GitHub's key
# and show as "Verified" under the github-actions[bot] identity.
# and show as "Verified" under the dunglas-release[bot] identity.
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.release-app-token.outputs.token }}
REPO: ${{ github.repository }}
VERSION: ${{ inputs.version }}
RESUME: ${{ steps.state.outputs.resume }}
Expand Down Expand Up @@ -243,7 +246,7 @@ jobs:
# releases. Use the REST releases endpoints directly: they see the
# tag immediately and behave deterministically.
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.release-app-token.outputs.token }}
REPO: ${{ github.repository }}
VERSION: ${{ inputs.version }}
PRERELEASE: ${{ steps.classify.outputs.prerelease }}
Expand Down Expand Up @@ -273,7 +276,7 @@ jobs:
# specific dispatches that didn't go through. Re-dispatch on resume
# is harmless: it just queues another build run.
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.release-app-token.outputs.token }}
REPO: ${{ github.repository }}
VERSION: ${{ inputs.version }}
run: |
Expand Down
Loading