Problem
Codemagic workflows use a personal access token (attributed to @mdmohsin7) for all gh CLI operations. Every GitHub release created by Codemagic — desktop DMGs, Sparkle ZIPs, mobile builds — appears under @mdmohsin7's account instead of a bot identity.
This is the same class of problem fixed for GitHub Actions in #7275 / PR #7541, where PAT_TOKEN (attributed to @beastoin) was replaced with Omi CI Bot (actions/create-github-app-token@v1).
Affected locations in codemagic.yaml
| Line(s) |
Command |
Workflow |
| L1236, L1239 |
gh release list |
Desktop Flutter — build number lookup |
| L1272, L1284 |
gh release list, gh release download |
Desktop Flutter — bundle Omi Computer from latest release |
| L1705, L1714, L1725 |
gh release create, gh release upload (x2) |
Desktop Flutter — create release with DMG + Sparkle ZIP + signature |
| L2682-L2685 |
gh release view, gh release delete, gh release create |
Desktop Swift — create release with Sparkle ZIP + DMG |
All authenticated via a personal token stored in Codemagic environment variable groups.
Desired state
Replace the personal token with Omi CI Bot (GitHub App ID 3902754) so releases are attributed to omi-ci-bot[bot] — consistent with GitHub Actions.
Implementation note: Unlike GitHub Actions which has actions/create-github-app-token@v1, Codemagic requires a manual token exchange step:
- Store
OMI_BOT_APP_ID + OMI_BOT_PRIVATE_KEY in a Codemagic env var group
- Add a pre-step that generates a JWT from the private key, exchanges it for a short-lived installation token via GitHub API
- Authenticate
gh CLI with the installation token (gh auth login --with-token)
Prior art
contents:write is sufficient for gh release create/upload/delete.
Problem
Codemagic workflows use a personal access token (attributed to @mdmohsin7) for all
ghCLI operations. Every GitHub release created by Codemagic — desktop DMGs, Sparkle ZIPs, mobile builds — appears under @mdmohsin7's account instead of a bot identity.This is the same class of problem fixed for GitHub Actions in #7275 / PR #7541, where
PAT_TOKEN(attributed to @beastoin) was replaced with Omi CI Bot (actions/create-github-app-token@v1).Affected locations in
codemagic.yamlgh release listgh release list,gh release downloadgh release create,gh release upload(x2)gh release view,gh release delete,gh release createAll authenticated via a personal token stored in Codemagic environment variable groups.
Desired state
Replace the personal token with Omi CI Bot (GitHub App ID 3902754) so releases are attributed to
omi-ci-bot[bot]— consistent with GitHub Actions.Implementation note: Unlike GitHub Actions which has
actions/create-github-app-token@v1, Codemagic requires a manual token exchange step:OMI_BOT_APP_ID+OMI_BOT_PRIVATE_KEYin a Codemagic env var groupghCLI with the installation token (gh auth login --with-token)Prior art
contents:writeis sufficient forgh release create/upload/delete.