ci: Use Applied AI release bot token to create release commits#506
ci: Use Applied AI release bot token to create release commits#506tylerhutcherson merged 3 commits intomainfrom
Conversation
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dbc6a90a5e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| RELEASE_BOT_NAME: "applied-ai-releases[bot]" | ||
| RELEASE_BOT_EMAIL: "applied-ai-releases[bot]@users.noreply.github.com" |
There was a problem hiding this comment.
This commit renames the workflow env vars to RELEASE_BOT_NAME/RELEASE_BOT_EMAIL, but the release job still reads GH_ACTIONS_BOT_NAME/GH_ACTIONS_BOT_EMAIL in auto latest and git config. In GitHub Actions, those undefined vars resolve to empty strings, so the commit step ends up running git config user.name "" and git config user.email "", which causes git commit to fail with fatal: empty ident name whenever a version bump is produced.
Useful? React with 👍 / 👎.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| id: latest_release | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GH_TOKEN: ${{ steps.app_token.outputs.token }} |
There was a problem hiding this comment.
Renamed env vars not updated in shell references
High Severity
The environment variables were renamed from GH_ACTIONS_BOT_NAME/GH_ACTIONS_BOT_EMAIL to RELEASE_BOT_NAME/RELEASE_BOT_EMAIL, but all four shell references still use the old ${GH_ACTIONS_BOT_NAME} and ${GH_ACTIONS_BOT_EMAIL} names. These will expand to empty strings, causing the release version resolution, git commit identity, and release creation to use blank name/email values, breaking the entire release workflow.
Additional Locations (2)
2 participants
Branch protection rules in the repository prevent the release process from pushing a commit bumping the version. @tylerhutcherson and I created a GitHub App that can be excluded from that rule to enable the frictionless release workflow we want.
This PR adapts the workflow to use that bot's GitHub token for its operations.
Note
Medium Risk
Changes the release automation to authenticate with a GitHub App token and push to
main, which can impact publishing if token/scopes/secret configuration is wrong. Introduces reliance on a new secret (RELEASE_BOT_PRIVATE_KEY) for release creation and version-bump commits.Overview
Release automation now runs under a GitHub App identity instead of the default
GITHUB_TOKEN. Therelease-new.ymlworkflow generates an App token (actions/create-github-app-token@v2) usingRELEASE_BOT_PRIVATE_KEY, uses it foractions/checkout, and swapsGH_TOKENto the App token forautocommands.The release step also changes
auto latestto run with--no-changelog, and adds release-bot identity env vars (RELEASE_BOT_NAME/RELEASE_BOT_EMAIL) for the new bot.Written by Cursor Bugbot for commit dbc6a90. This will update automatically on new commits. Configure here.