fix: use kernel-internal app token for release workflow #2
+13
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.
Or push these changes by commenting: Preview (cf6bcc22ad)diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,12 +7,6 @@
name: Release
runs-on: ubuntu-22.04
steps:
- - name: Generate app token
- id: app-token
- uses: actions/create-github-app-token@v1
- with:
- app-id: ${{ secrets.ADMIN_APP_ID }}
- private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
- name: Code checkout
uses: actions/checkout@v4
with:
@@ -31,6 +25,12 @@
run: make ch_defconfig
- name: Build kernel (x86-64)
run: CFLAGS="-Wa,-mx86-used-note=no" make bzImage -j `nproc`
+ - name: Generate app token
+ id: app-token
+ uses: actions/create-github-app-token@v1
+ with:
+ app-id: ${{ secrets.ADMIN_APP_ID }}
+ private-key: ${{ secrets.ADMIN_APP_PRIVATE_KEY }}
- name: Create release
id: create_release
uses: actions/create-release@v1 |
ulziibay-kernel
approved these changes
Feb 10, 2026
Author
GitHub App installation tokens expire after 1 hour. Previously the token was generated at the very start of the workflow, before three full kernel builds. On a 2-core runner these builds can easily exceed 1 hour, causing the token to expire before the release creation and asset upload steps. Move the token generation step to immediately before the 'Create release' step so the token is fresh when it is actually needed. Applied via @cursor push command
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
GITHUB_TOKENto kernel-internal GitHub App tokenChanges
actions/create-github-app-token@v1step to generate app tokensecrets.GITHUB_TOKENreferences with the app token for release creation and asset uploadsNote
Medium Risk
Changes the authentication mechanism used to create releases and upload assets; misconfigured App secrets/permissions could break releases or alter automation trigger behavior.
Overview
Updates
.github/workflows/release.yamlto generate a GitHub App installation token viaactions/create-github-app-token@v1and use it foractions/create-release@v1plus allactions/upload-release-asset@v1steps.Replaces all
secrets.GITHUB_TOKENusage with the app token (sourced fromADMIN_APP_ID/ADMIN_APP_PRIVATE_KEY) so releases and uploaded artifacts are attributed to—and can trigger workflows as—the GitHub App.Written by Cursor Bugbot for commit f356574. This will update automatically on new commits. Configure here.