From 81a867ff4f02d79b5f44d8b0bc229ccd8a8c41c6 Mon Sep 17 00:00:00 2001 From: Julius Marminge Date: Tue, 17 Mar 2026 14:48:26 -0700 Subject: [PATCH 1/2] Use release app token for main checkout in release workflow - Mint a GitHub App token before the publish job checkout - Pass the app token to `actions/checkout` when pulling `main` - Regenerate `mockServiceWorker.js` with MSW package version 2.12.10 --- .github/workflows/release.yml | 9 +++++++++ apps/web/public/mockServiceWorker.js | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8331ba5084..bc45ee639f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -308,11 +308,20 @@ jobs: needs: [preflight, release] runs-on: ubuntu-24.04 steps: + - id: app_token + name: Mint release app token + uses: actions/create-github-app-token@v2 + with: + app-id: ${{ vars.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + - name: Checkout uses: actions/checkout@v6 with: ref: main fetch-depth: 0 + token: ${{ steps.app_token.outputs.token }} - name: Setup Bun uses: oven-sh/setup-bun@v2 diff --git a/apps/web/public/mockServiceWorker.js b/apps/web/public/mockServiceWorker.js index 85e9010123..daa58d0f12 100644 --- a/apps/web/public/mockServiceWorker.js +++ b/apps/web/public/mockServiceWorker.js @@ -7,7 +7,7 @@ * - Please do NOT modify this file. */ -const PACKAGE_VERSION = '2.12.9' +const PACKAGE_VERSION = '2.12.10' const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82' const IS_MOCKED_RESPONSE = Symbol('isMockedResponse') const activeClientIds = new Set() From 1d9bcf6c89094a153b1642174751e5dbab0a015f Mon Sep 17 00:00:00 2001 From: Julius Marminge Date: Tue, 17 Mar 2026 14:51:37 -0700 Subject: [PATCH 2/2] Use GitHub App bot identity for release commits - resolve the GitHub App bot user and noreply email via `gh api` - configure `git` commit author from app bot outputs instead of `github-actions[bot]` - enable persisted checkout credentials for the release workflow --- .github/workflows/release.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc45ee639f..0a10648c8e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -322,6 +322,17 @@ jobs: ref: main fetch-depth: 0 token: ${{ steps.app_token.outputs.token }} + persist-credentials: true + + - id: app_bot + name: Resolve GitHub App bot identity + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + APP_SLUG: ${{ steps.app_token.outputs.app-slug }} + run: | + user_id="$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" + echo "name=${APP_SLUG}[bot]" >> "$GITHUB_OUTPUT" + echo "email=${user_id}+${APP_SLUG}[bot]@users.noreply.github.com" >> "$GITHUB_OUTPUT" - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -358,8 +369,8 @@ jobs: exit 0 fi - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "${{ steps.app_bot.outputs.name }}" + git config user.email "${{ steps.app_bot.outputs.email }}" git add apps/server/package.json apps/desktop/package.json apps/web/package.json packages/contracts/package.json bun.lock git commit -m "chore(release): prepare $RELEASE_TAG"