Skip to content

fix: trigger PyPI publish/deploy by authoring releases with the DS_RELEASE_BOT app token #1407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vincentsarago merged 3 commits into from
Jun 2, 2026
+17 −2
Merged

fix: trigger PyPI publish/deploy by authoring releases with the DS_RELEASE_BOT app token #1407

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0b236d5
fix: author release-please releases with a GitHub App token
lhoupert May 29, 2026
e3e56ca
fix: scope release-please app token to least privilege
lhoupert May 29, 2026
f71abd0
fix: use existing DS_RELEASE_BOT org app secrets for release-please
lhoupert May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,24 @@ jobs:
contents: write # Needed for release-please to create PRs
pull-requests: write # Needed for release-please to create PRs
steps:
# Mint a GitHub App token so the release-please-created release is authored by the
# App, not github-actions[bot]. Events from the default GITHUB_TOKEN do NOT trigger
# new workflow runs (GitHub anti-recursion), which is why bot-created releases never
# fired `release: published` and the build/upload_pypi/deploy jobs below were skipped.
- uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
id: app-token
with:
app-id: ${{ secrets.DS_RELEASE_BOT_ID }}
private-key: ${{ secrets.DS_RELEASE_BOT_PRIVATE_KEY }}
# Scope the minted token to least privilege instead of inheriting the App's
# blanket installation permissions (zizmor: dangerous-github-app-tokens).
# release-please only needs Contents (tags/release) + Pull requests (release PR).
permission-contents: write
permission-pull-requests: write

- uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json

Expand Down
2 changes: 1 addition & 1 deletion RELEASING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Releases are automated via [release-please](https://github.com/googleapis/releas
- Bumps the version in `pyproject.toml`, all sub-package `pyproject.toml` files, and `__init__.py` files
- Bumps `appVersion` in `deployment/k8s/charts/Chart.yaml`
- Updates `CHANGES.md` with the changelog for the new version
3. When that PR is merged, release-please creates a GitHub release tagged `X.Y.Z`, which triggers the PyPI publish workflow.
3. When that PR is merged, release-please creates a GitHub release tagged `X.Y.Z`. The release is authored via a **GitHub App token** (not the default `GITHUB_TOKEN`), which is what lets the `release: published` event trigger the PyPI publish and AWS deploy workflows — events from the default `GITHUB_TOKEN` do **not** cascade into new workflow runs, so a bot-authored release would otherwise publish nothing.

## Helm chart version

Expand Down