privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
This repository has been archived on 2026-06-16. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
e62fba9cc1aae289d31c18750a588316f6ab1111
headlamp-polaris-plugin/.github/GH_APP_TOKEN.md
T
Chris Farhood e62fba9cc1 ci: use GitHub App token to enable automatic workflow triggering 
The prepare-release workflow now uses GH_APP_TOKEN instead of
GITHUB_TOKEN to push commits and tags. This allows the tag push
to automatically trigger the release workflow without manual
intervention.

GITHUB_TOKEN cannot trigger other workflows due to GitHub's
security policy to prevent infinite workflow loops.

Added documentation in .github/GH_APP_TOKEN.md explaining the
token setup and requirements.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
2026-02-12 15:08:53 -05:00

37 lines
1.6 KiB
Markdown
Raw Blame History

# GitHub App Token Setup
The `prepare-release.yaml` workflow requires a GitHub App token stored as a repository secret named `GH_APP_TOKEN`.
## Why GitHub App Token?
GitHub's default `GITHUB_TOKEN` has a security limitation: actions performed with it (like pushing commits or tags) **do not trigger other workflows**. This prevents infinite workflow loops but also means our `prepare-release` workflow cannot automatically trigger the `release` workflow when it pushes a tag.
Using a GitHub App token bypasses this limitation because the app is a separate identity from GitHub Actions.
## Setup
1. **GitHub App**: Ensure your GitHub App is installed on this repository with the following permissions:
- Repository permissions:
- Contents: Read and write
- Metadata: Read-only
2. **Generate Token**: Your GitHub App should generate installation access tokens
3. **Add Secret**: Store the token as a repository secret:
- Go to: Settings → Secrets and variables → Actions
- Name: `GH_APP_TOKEN`
- Value: Your GitHub App installation token
## Alternative: Personal Access Token (PAT)
If you don't have a GitHub App, you can use a classic PAT with `repo` scope:
- Create PAT at: Settings → Developer settings → Personal access tokens → Tokens (classic)
- Scope required: `repo`
- Store as `GH_APP_TOKEN` secret
**Note**: PATs are tied to your user account; GitHub Apps are preferred for organizational use.
## Validation
After setup, the `prepare-release` workflow will automatically trigger the `release` workflow when it pushes a tag. You should see both workflows run in sequence without manual intervention.
Reference in New Issue View Git Blame Copy Permalink