From 33419da2116898c1b9fef8ac37b0667de980b594 Mon Sep 17 00:00:00 2001 From: Moshe Immerman Date: Mon, 29 Jun 2026 09:18:13 +0300 Subject: [PATCH] ci(release): authenticate semantic-release via Flanksource GitHub App The Create Release workflow failed at job setup with "Repository access blocked" and the default GITHUB_TOKEN cannot push release tags / create releases under current org policy, so no semver tag was being cut on push to master. Mint a GitHub App installation token (actions/create-github-app-token) from the Flanksource App credentials (FLANKSOURCE_APP_ID / FLANKSOURCE_APP_SECRET) and use it for both the checkout and the semantic-release step. --- .github/workflows/release.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e0078f..ff49e8f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,11 +16,23 @@ jobs: with: egress-policy: audit + # Mint a GitHub App installation token for the Flanksource App so + # semantic-release can push the release tag and create the GitHub Release. + # The default GITHUB_TOKEN is blocked from these writes by org policy. + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ secrets.FLANKSOURCE_APP_ID }} + private-key: ${{ secrets.FLANKSOURCE_APP_SECRET }} + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + token: ${{ steps.app-token.outputs.token }} - uses: codfish/semantic-release-action@b621d34fabe0940f031e89b6ebfea28322892a10 # v3.5.0 id: semantic env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} bump-clients: runs-on: ubuntu-latest