fix(ci): pass app token via token input for softprops/action-gh-release#361
Merged
Conversation
softprops/action-gh-release@v3 reads the token from INPUT_TOKEN (set by the 'token' action input) before falling back to GITHUB_TOKEN. Setting env.GITHUB_TOKEN did not override INPUT_TOKEN so the action used the default GITHUB_TOKEN instead of the app-token, causing the 403.
✅ Deploy Preview for devsydev canceled.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe promote-release workflow's stable release creation step is updated to pass GitHub App token authentication through the action's ChangesRelease Workflow Token Authentication
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Warning Review ran into problems🔥 ProblemsStopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This was referenced May 18, 2026
devsy-app Bot
pushed a commit
that referenced
this pull request
May 19, 2026
# [1.4.0-rc.1](v1.3.0...v1.4.0-rc.1) (2026-05-19) ### Bug Fixes * **ci:** add package-lock.json for semantic-release workflow ([bcd9208](bcd9208)) * **ci:** add signed commit config and create-release-pr workflow ([c89325a](c89325a)) * **ci:** advance prerelease manifest past stable release ([#372](#372)) ([33a9d44](33a9d44)) * **ci:** pass app token via token input for softprops/action-gh-release ([#361](#361)) ([77a9373](77a9373)), closes [softprops/action-#release](https://github.com/softprops/action-/issues/release) * **ci:** re-add changelog and git plugins with signed commit support ([#375](#375)) ([ad6e3f9](ad6e3f9)) * **ci:** remove @semantic-release/git plugin that can't push to protected branch ([c3bf35c](c3bf35c)) * **ci:** remove @semantic-release/git plugin that cannot push to signature-protected branch ([e971f37](e971f37)) * **ci:** resolve semantic-release tag conflict and add changelog+git plugins ([d80ae42](d80ae42)) * update workspace_result.json paths on workspace rename ([#369](#369)) ([f06f4ba](f06f4ba)) ### Features * auto-overwrite stale agent binary and workspace clean command ([#364](#364)) ([76841a4](76841a4)) * **ci:** enable autoMergeRequest in release-please action ([#363](#363)) ([2f889bb](2f889bb)) * **ci:** migrate from release-please to semantic-release ([#374](#374)) ([9fcceef](9fcceef)) * **ci:** replace single release-please config with dual prerelease/stable setup ([#368](#368)) ([d985356](d985356))
This was referenced May 19, 2026
skevetter
added a commit
that referenced
this pull request
May 19, 2026
* fix(ci): pass app token via token input for softprops/action-gh-release (#361) softprops/action-gh-release@v3 reads the token from INPUT_TOKEN (set by the 'token' action input) before falling back to GITHUB_TOKEN. Setting env.GITHUB_TOKEN did not override INPUT_TOKEN so the action used the default GITHUB_TOKEN instead of the app-token, causing the 403. * feat(ci): enable autoMergeRequest in release-please action (#363) Adds autoMergeRequest: true to the googleapis/release-please-action step so that release-please PRs auto-merge after CI passes. * chore(main): release 1.3.0-rc.19 (#362) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat: auto-overwrite stale agent binary and workspace clean command (#364) * feat: auto-overwrite agent binary on version mismatch in Docker delivery When the named Docker volume already contains an agent binary with a different version, force-overwrite it instead of leaving the stale binary in place. Logs an INFO message with the old and new versions. If versions match, skip re-delivery entirely as an optimization. * feat: add `devsy workspace clean` subcommand Adds a command to remove the agent binary from the Docker named volume for a workspace, forcing a fresh injection on next start. Useful when the binary becomes stale and the automatic version-mismatch detection is not sufficient. * fix: extract docker command string to constant (goconst lint) * chore(ci): tidy workflow comments (#365) * chore(main): release 1.3.0-rc.20 (#366) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat(ci): replace single release-please config with dual prerelease/stable setup (#368) Split the release-please configuration into two independent tracks: - Prerelease track (push to main): creates RC releases with auto-merge - Stable track (workflow_dispatch): creates stable releases on demand This eliminates the promote-release.yml workaround that re-tagged RC commits as stable releases. Instead, release-please natively manages both version tracks with separate configs, manifests, labels, and changelog paths. * chore(main): release 1.3.0-rc.21 (#370) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * fix(ci): advance prerelease manifest past stable release (#372) * fix: update workspace_result.json paths on workspace rename (#369) * fix: update workspace_result.json paths on workspace rename After renaming a workspace, the cached workspace_result.json still referenced the old workspace name in ContainerWorkspaceFolder, LocalWorkspaceFolder, and WorkspaceMount paths. This caused the container's working directory to point to /workspaces/<old-name> which doesn't exist, breaking exec and SSH into the workspace. * fix: also update MergedConfig.WorkspaceMount on workspace rename Closes a gap where MergedConfig.WorkspaceMount (a *string field) was not being rewritten during rename, leaving a stale mount path in the cached result. * refactor: derive workspace parent dirs dynamically in path replacer Instead of hardcoding `/workspaces` as the container workspace parent directory, derive it from SubstitutionContext.ContainerWorkspaceFolder by stripping the basename. Similarly derive the host parent from LocalWorkspaceFolder. This makes the rename path replacer work correctly for devcontainers that use a non-default workspaceFolder. * test: add unit tests for workspace rename path replacement * test: add e2e tests for workspace rename path updates Integration tests verifying that updateWorkspaceResult correctly rewrites ContainerWorkspaceFolder, LocalWorkspaceFolder, WorkspaceMount in SubstitutionContext and MergedConfig after a workspace rename. Covers: basic rename, non-default workspace dirs, nested paths, same-name idempotent rename, nil MergedConfig/WorkspaceMount, missing result file, and raw JSON roundtrip. * fix(lint): wire up testContainerOldWS, testLocalOldWS, testContainerApp, testContainerOld constants Linter introduced constants but left self-referential definitions and bare literals in test bodies. Fix init cycles and use constants throughout. * fix(lint): extract repeated /workspaces/ws-old literal to testContainerWSMount constant * chore(main): release 1.4.0-rc.1 (#373) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat(ci): migrate from release-please to semantic-release (#374) Replace the dual release-please prerelease/stable configuration with a single semantic-release setup for simplicity. - Add .releaserc.json with commit-analyzer, release-notes-generator, changelog, github, and git plugins - Add semantic-release.yml workflow (push to main → RC, push to release → stable, plus dry-run workflow_dispatch) - Remove release-please workflows, configs, and manifests - Add semantic-release devDependencies to package.json * fix(ci): add package-lock.json for semantic-release workflow The semantic-release workflow uses actions/setup-node with npm caching, which requires a lock file to be present. Also switches from npm install to npm ci for reproducible CI builds. --------- Co-authored-by: Samuel K <skevetter@pm.me> Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com>
skevetter
added a commit
that referenced
this pull request
May 19, 2026
* fix(ci): pass app token via token input for softprops/action-gh-release (#361) softprops/action-gh-release@v3 reads the token from INPUT_TOKEN (set by the 'token' action input) before falling back to GITHUB_TOKEN. Setting env.GITHUB_TOKEN did not override INPUT_TOKEN so the action used the default GITHUB_TOKEN instead of the app-token, causing the 403. * feat(ci): enable autoMergeRequest in release-please action (#363) Adds autoMergeRequest: true to the googleapis/release-please-action step so that release-please PRs auto-merge after CI passes. * chore(main): release 1.3.0-rc.19 (#362) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat: auto-overwrite stale agent binary and workspace clean command (#364) * feat: auto-overwrite agent binary on version mismatch in Docker delivery When the named Docker volume already contains an agent binary with a different version, force-overwrite it instead of leaving the stale binary in place. Logs an INFO message with the old and new versions. If versions match, skip re-delivery entirely as an optimization. * feat: add `devsy workspace clean` subcommand Adds a command to remove the agent binary from the Docker named volume for a workspace, forcing a fresh injection on next start. Useful when the binary becomes stale and the automatic version-mismatch detection is not sufficient. * fix: extract docker command string to constant (goconst lint) * chore(ci): tidy workflow comments (#365) * chore(main): release 1.3.0-rc.20 (#366) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat(ci): replace single release-please config with dual prerelease/stable setup (#368) Split the release-please configuration into two independent tracks: - Prerelease track (push to main): creates RC releases with auto-merge - Stable track (workflow_dispatch): creates stable releases on demand This eliminates the promote-release.yml workaround that re-tagged RC commits as stable releases. Instead, release-please natively manages both version tracks with separate configs, manifests, labels, and changelog paths. * chore(main): release 1.3.0-rc.21 (#370) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * fix(ci): advance prerelease manifest past stable release (#372) * fix: update workspace_result.json paths on workspace rename (#369) * fix: update workspace_result.json paths on workspace rename After renaming a workspace, the cached workspace_result.json still referenced the old workspace name in ContainerWorkspaceFolder, LocalWorkspaceFolder, and WorkspaceMount paths. This caused the container's working directory to point to /workspaces/<old-name> which doesn't exist, breaking exec and SSH into the workspace. * fix: also update MergedConfig.WorkspaceMount on workspace rename Closes a gap where MergedConfig.WorkspaceMount (a *string field) was not being rewritten during rename, leaving a stale mount path in the cached result. * refactor: derive workspace parent dirs dynamically in path replacer Instead of hardcoding `/workspaces` as the container workspace parent directory, derive it from SubstitutionContext.ContainerWorkspaceFolder by stripping the basename. Similarly derive the host parent from LocalWorkspaceFolder. This makes the rename path replacer work correctly for devcontainers that use a non-default workspaceFolder. * test: add unit tests for workspace rename path replacement * test: add e2e tests for workspace rename path updates Integration tests verifying that updateWorkspaceResult correctly rewrites ContainerWorkspaceFolder, LocalWorkspaceFolder, WorkspaceMount in SubstitutionContext and MergedConfig after a workspace rename. Covers: basic rename, non-default workspace dirs, nested paths, same-name idempotent rename, nil MergedConfig/WorkspaceMount, missing result file, and raw JSON roundtrip. * fix(lint): wire up testContainerOldWS, testLocalOldWS, testContainerApp, testContainerOld constants Linter introduced constants but left self-referential definitions and bare literals in test bodies. Fix init cycles and use constants throughout. * fix(lint): extract repeated /workspaces/ws-old literal to testContainerWSMount constant * chore(main): release 1.4.0-rc.1 (#373) Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com> * feat(ci): migrate from release-please to semantic-release (#374) Replace the dual release-please prerelease/stable configuration with a single semantic-release setup for simplicity. - Add .releaserc.json with commit-analyzer, release-notes-generator, changelog, github, and git plugins - Add semantic-release.yml workflow (push to main → RC, push to release → stable, plus dry-run workflow_dispatch) - Remove release-please workflows, configs, and manifests - Add semantic-release devDependencies to package.json * fix(ci): add package-lock.json for semantic-release workflow The semantic-release workflow uses actions/setup-node with npm caching, which requires a lock file to be present. Also switches from npm install to npm ci for reproducible CI builds. --------- Co-authored-by: devsy-app[bot] <277138668+devsy-app[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
softprops/action-gh-release@v3reads the token fromINPUT_TOKEN(populated by thetoken:action input) before falling back toGITHUB_TOKENenv: GITHUB_TOKEN:, which setsGITHUB_TOKENbut notINPUT_TOKEN${{ github.token }}(the low-permissions workflow token) instead of the app-token, causing the 403 "Resource not accessible by integration"with: token:soINPUT_TOKENgets the correct valueSummary by CodeRabbit