feat(release-please): org-native reusable workflow on org release App#16
Merged
Merged
Conversation
Host the canonical release-please workflow once here so every repo runs identical logic with zero per-repo drift, replacing the cross-account caller (JacobPEvans-personal/.github/_release-please.yml) that 404s on every run because that App is not installed on the org. Auth uses the org-level release App: app-id from the GH_ACTION_RELEASE_PLEASE_APP_ID org variable, private key from the GH_ACTION_RELEASE_PLEASE_PRIVATE_KEY org secret. No per-repo secrets-sync, no personal-account dependency. The App token (vs default GITHUB_TOKEN) keeps release PRs triggering pull_request CI gates. Refs: dryvist/terraform-github#6 Assisted-by: Claude:claude-opus-4-8
JacobPEvans-personal
force-pushed
the
feat/release-please-org-native
branch
from
747e547 to
76e9e66
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Org-native release-please reusable workflow
What
Adds the canonical
_release-please.ymlreusable workflow todryvist/.github,hosted once for the whole org. Clean and direct: mint an org App token, run
release-please.
Why
Every release-candidate repo currently calls
JacobPEvans-personal/.github/.github/workflows/_release-please.yml@main,whose token mint 404s because that App is not installed on the dryvist org —
so every release-please run fails and no repo cuts releases via this path. Two
root causes: a cross-account dependency and an uninstalled App.
This fixes both: org-owned (no personal-account dependency) and authenticated
with the org-level release App —
app-idfrom theGH_ACTION_RELEASE_PLEASE_APP_IDorg variable, private key from theGH_ACTION_RELEASE_PLEASE_PRIVATE_KEYorg secret. No per-repo secrets-sync.The App token (not
GITHUB_TOKEN) keeps release PRs triggeringpull_requestCI gates.
Intentionally omitted from the old reusable
Kept deliberately clean — two behaviors from
JacobPEvans-personal/.github's_release-please.ymlwere not copied over because they are workarounds:workaround, plus its helper script). Assuming GitHub auto-merge works; the
release PR is merged by each repo's normal flow. If release PRs visibly
stall after this lands, auto-merge comes back as a deliberate, documented
step.
always-bump-minorjq override that rewroterelease-please-config.jsonat runtime to block automated major bumps. A workflow editing a repo's
config on the fly is a workaround. If the org wants to forbid automated
major bumps, set
"versioning"in each repo'srelease-please-config.json(declarative, per-repo, reviewable).
Neither omission blocks the core fix (token mint + release-please).
Follow-up (not in this PR)
JacobPEvans-personal/.github→
dryvist/.github, passingGH_ACTION_RELEASE_PLEASE_PRIVATE_KEY.Contents + Pull requests write. Token mint 404s until then.
Validation
actionlintclean.Cost impact
free— a reusable definition, no Actions capacity of its own. Calling reposalready run release-please on push to
main(currently failing); this restoresthem, all on public repos.
Refs: dryvist/terraform-github#6