Revert "ci: use GitHub App token to enable automatic workflow triggering"
This reverts commit e62fba9cc1.
This commit is contained in:
@@ -1,36 +0,0 @@
|
|||||||
# GitHub App Token Setup
|
|
||||||
|
|
||||||
The `prepare-release.yaml` workflow requires a GitHub App token stored as a repository secret named `GH_APP_TOKEN`.
|
|
||||||
|
|
||||||
## Why GitHub App Token?
|
|
||||||
|
|
||||||
GitHub's default `GITHUB_TOKEN` has a security limitation: actions performed with it (like pushing commits or tags) **do not trigger other workflows**. This prevents infinite workflow loops but also means our `prepare-release` workflow cannot automatically trigger the `release` workflow when it pushes a tag.
|
|
||||||
|
|
||||||
Using a GitHub App token bypasses this limitation because the app is a separate identity from GitHub Actions.
|
|
||||||
|
|
||||||
## Setup
|
|
||||||
|
|
||||||
1. **GitHub App**: Ensure your GitHub App is installed on this repository with the following permissions:
|
|
||||||
- Repository permissions:
|
|
||||||
- Contents: Read and write
|
|
||||||
- Metadata: Read-only
|
|
||||||
|
|
||||||
2. **Generate Token**: Your GitHub App should generate installation access tokens
|
|
||||||
|
|
||||||
3. **Add Secret**: Store the token as a repository secret:
|
|
||||||
- Go to: Settings → Secrets and variables → Actions
|
|
||||||
- Name: `GH_APP_TOKEN`
|
|
||||||
- Value: Your GitHub App installation token
|
|
||||||
|
|
||||||
## Alternative: Personal Access Token (PAT)
|
|
||||||
|
|
||||||
If you don't have a GitHub App, you can use a classic PAT with `repo` scope:
|
|
||||||
- Create PAT at: Settings → Developer settings → Personal access tokens → Tokens (classic)
|
|
||||||
- Scope required: `repo`
|
|
||||||
- Store as `GH_APP_TOKEN` secret
|
|
||||||
|
|
||||||
**Note**: PATs are tied to your user account; GitHub Apps are preferred for organizational use.
|
|
||||||
|
|
||||||
## Validation
|
|
||||||
|
|
||||||
After setup, the `prepare-release` workflow will automatically trigger the `release` workflow when it pushes a tag. You should see both workflows run in sequence without manual intervention.
|
|
||||||
@@ -1,8 +1,5 @@
|
|||||||
name: Prepare Release
|
name: Prepare Release
|
||||||
|
|
||||||
# Uses GitHub App token (GH_APP_TOKEN) to trigger the release workflow
|
|
||||||
# GITHUB_TOKEN cannot trigger other workflows due to GitHub security policy
|
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
inputs:
|
inputs:
|
||||||
@@ -27,7 +24,7 @@ jobs:
|
|||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.GH_APP_TOKEN }}
|
token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Configure git
|
- name: Configure git
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
Reference in New Issue
Block a user