ci(release): migrate to Craft reusable workflow #148
Conversation
Switch from action-prepare-release to the Craft reusable workflow, which is simpler and handles authentication/checkout internally. - Version input is now optional, defaults to 'auto' (inferred from commits) - Uses secrets: inherit to pass required credentials See https://craft.sentry.dev/github-actions/ for documentation. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
vaind
force-pushed
the
ci/craft-reusable-workflow
branch
from
46cbf0a to
78f9dd2
Compare
| with: | ||
| version: ${{ inputs.version || 'auto' }} | ||
| force: ${{ inputs.force || 'false' }} | ||
| secrets: inherit |
There was a problem hiding this comment.
You need the special token for release bot otherwise your releases will fail
There was a problem hiding this comment.
Like this?
GraphQL: Resource not accessible by integration (createIssue)
Error: Process completed with exit code 1.
https://github.com/getsentry/github-workflows/actions/workflows/release.yml
There was a problem hiding this comment.
@BYK I'm confused why do docs say to use the reusable workflow as the recommended way to set up?
FWIW I've ran this by Claude and this seams reasonable:
The problem in Craft's release.yml:
This step ONLY runs for the Craft repo itself
- name: Get auth token
id: token
if: github.event_name == 'workflow_dispatch' && github.repository == 'getsentry/craft'
uses: actions/create-github-app-token@...
with:
app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}For external repos: uses github.token which can't create issues in getsentry/publish
- name: Prepare release
if: github.repository != 'getsentry/craft'
env:
GITHUB_TOKEN: ${{ github.token }} # <-- this is the problemSince secrets: inherit already passes SENTRY_RELEASE_BOT_PRIVATE_KEY through, and vars.SENTRY_RELEASE_BOT_CLIENT_ID is available at the org level, the credentials are already there — Craft just doesn't use them for external repos.
What would need to change in Craft:
- Remove the repository guard on the token step — or add a second token step for external repos:
- name: Get auth token
id: token
- if: github.event_name == 'workflow_dispatch' && github.repository == 'getsentry/craft'
- if: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY != '' }}- Use the app token (with fallback) in the external repos step:
- name: Prepare release
if: github.repository != 'getsentry/craft'
env:
- GITHUB_TOKEN: ${{ github.token }}
+ GITHUB_TOKEN: ${{ steps.token.outputs.token || github.token }}- Same for the checkout step (already correct — it does
${{ steps.token.outputs.token || github.token }}).
An alternative Craft-side approach would be to add an explicit token secret to workflow_call:
workflow_call:
secrets:
token:
description: 'Token with cross-repo issue creation permissions'
required: falseThen callers would generate the token themselves and pass it. But that's more boilerplate per-repo and defeats the purpose of the reusable workflow simplifying things.
3 participants
Summary
Migrate from the deprecated
action-prepare-releaseto Craft's reusable workflow.This is a simplified approach compared to #141, using the reusable workflow pattern recommended in the Craft documentation.
Changes
getsentry/craft/.github/workflows/release.yml@v2reusable workflowauto- inferred from conventional commits)Supersedes #141
🤖 Generated with Claude Code