privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

Revert "ci: use GitHub App token to enable automatic workflow triggering"

Browse Source 
This reverts commit e62fba9cc1.
This commit is contained in:
Chris Farhood
2026-02-12 15:19:22 -05:00
parent e62fba9cc1
commit 189ae50024
2 changed files with 1 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/GH_APP_TOKEN.md
-36
View File
@@ -1,36 +0,0 @@
# GitHub App Token Setup
The `prepare-release.yaml` workflow requires a GitHub App token stored as a repository secret named `GH_APP_TOKEN`.
## Why GitHub App Token?
GitHub's default `GITHUB_TOKEN` has a security limitation: actions performed with it (like pushing commits or tags) **do not trigger other workflows**. This prevents infinite workflow loops but also means our `prepare-release` workflow cannot automatically trigger the `release` workflow when it pushes a tag.
Using a GitHub App token bypasses this limitation because the app is a separate identity from GitHub Actions.
## Setup
1. **GitHub App**: Ensure your GitHub App is installed on this repository with the following permissions:
- Repository permissions:
- Contents: Read and write
- Metadata: Read-only
2. **Generate Token**: Your GitHub App should generate installation access tokens
3. **Add Secret**: Store the token as a repository secret:
- Go to: Settings → Secrets and variables → Actions
- Name: `GH_APP_TOKEN`
- Value: Your GitHub App installation token
## Alternative: Personal Access Token (PAT)
If you don't have a GitHub App, you can use a classic PAT with `repo` scope:
- Create PAT at: Settings → Developer settings → Personal access tokens → Tokens (classic)
- Scope required: `repo`
- Store as `GH_APP_TOKEN` secret
**Note**: PATs are tied to your user account; GitHub Apps are preferred for organizational use.
## Validation
After setup, the `prepare-release` workflow will automatically trigger the `release` workflow when it pushes a tag. You should see both workflows run in sequence without manual intervention.
.github/workflows/prepare-release.yaml
+1 -4
View File
@@ -1,8 +1,5 @@
name: Prepare Release
# Uses GitHub App token (GH_APP_TOKEN) to trigger the release workflow
# GITHUB_TOKEN cannot trigger other workflows due to GitHub security policy
on:
workflow_dispatch:
inputs:
@@ -27,7 +24,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_APP_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure git
run: |