From cd3d88732115103a3c3bef88af9212acc6dc32dc Mon Sep 17 00:00:00 2001 From: Junpei Tsuji Date: Thu, 7 May 2026 09:22:11 +0900 Subject: [PATCH 1/2] ci: use GitHub App token for release-please workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the implicit GITHUB_TOKEN with a GitHub App-issued token so that release PRs, merges, tags, and GitHub Releases produced by release-please are attributed to the release-please bot instead of github-actions[bot], and so that downstream workflows (e.g. tag-based Docker build / deployment pipelines) can be triggered by the events release-please emits. Workflows triggered by GITHUB_TOKEN do not spawn additional workflow runs, which blocks the natural pattern of "release-please cuts the tag → tag push triggers Docker build". An installation token from a GitHub App bypasses that restriction. Required secrets: - RELEASE_PLEASE_APP_ID: the App ID of the GitHub App - RELEASE_PLEASE_PRIVATE_KEY: the App's private key (PEM) The App must be installed on this repository with at least these permissions: contents: write, pull-requests: write. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-please.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index a33de64..a455053 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -17,7 +17,13 @@ jobs: release-please: runs-on: ubuntu-latest steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_PLEASE_PRIVATE_KEY }} - uses: googleapis/release-please-action@v4 with: + token: ${{ steps.app-token.outputs.token }} config-file: release-please-config.json manifest-file: .release-please-manifest.json From db2be1c3de2cef74fd43925a0c05cf847978b89b Mon Sep 17 00:00:00 2001 From: Junpei Tsuji Date: Thu, 7 May 2026 09:23:55 +0900 Subject: [PATCH 2/2] ci: pin actions to commit SHA for supply-chain hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace floating tag refs with full commit SHAs so that workflow inputs cannot be silently changed by a tag re-point. Also bump release-please to v5.0.0 (current latest) per request. - actions/create-github-app-token v1 → v3.1.1 (1b10c78c7865c340bc4f6099eb2f838309f1e8c3) - googleapis/release-please-action v4 → v5.0.0 (45996ed1f6d02564a971a2fa1b5860e934307cf7) Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release-please.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index a455053..ae2cd36 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -17,12 +17,12 @@ jobs: release-please: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-token with: app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }} private-key: ${{ secrets.RELEASE_PLEASE_PRIVATE_KEY }} - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 with: token: ${{ steps.app-token.outputs.token }} config-file: release-please-config.json