privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
e62fba9cc1aae289d31c18750a588316f6ab1111
headlamp-polaris-plugin/.github/GH_APP_TOKEN.md
T
Chris Farhood e62fba9cc1 ci: use GitHub App token to enable automatic workflow triggering 
The prepare-release workflow now uses GH_APP_TOKEN instead of
GITHUB_TOKEN to push commits and tags. This allows the tag push
to automatically trigger the release workflow without manual
intervention.

GITHUB_TOKEN cannot trigger other workflows due to GitHub's
security policy to prevent infinite workflow loops.

Added documentation in .github/GH_APP_TOKEN.md explaining the
token setup and requirements.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
2026-02-12 15:08:53 -05:00

1.6 KiB
Raw Blame History

GitHub App Token Setup

The prepare-release.yaml workflow requires a GitHub App token stored as a repository secret named GH_APP_TOKEN.

Why GitHub App Token?

GitHub's default GITHUB_TOKEN has a security limitation: actions performed with it (like pushing commits or tags) do not trigger other workflows. This prevents infinite workflow loops but also means our prepare-release workflow cannot automatically trigger the release workflow when it pushes a tag.

Using a GitHub App token bypasses this limitation because the app is a separate identity from GitHub Actions.

Setup

  1. GitHub App: Ensure your GitHub App is installed on this repository with the following permissions:

    • Repository permissions:
      • Contents: Read and write
      • Metadata: Read-only

  2. Generate Token: Your GitHub App should generate installation access tokens

  3. Add Secret: Store the token as a repository secret:

    • Go to: Settings → Secrets and variables → Actions
    • Name: GH_APP_TOKEN
    • Value: Your GitHub App installation token

Alternative: Personal Access Token (PAT)

If you don't have a GitHub App, you can use a classic PAT with repo scope:

  • Create PAT at: Settings → Developer settings → Personal access tokens → Tokens (classic)
  • Scope required: repo
  • Store as GH_APP_TOKEN secret

Note: PATs are tied to your user account; GitHub Apps are preferred for organizational use.

Validation

After setup, the prepare-release workflow will automatically trigger the release workflow when it pushes a tag. You should see both workflows run in sequence without manual intervention.

Reference in New Issue View Git Blame Copy Permalink