Skip to content

Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token#3851

Merged
madolson merged 4 commits into
valkey-io:unstablefrom
jjuleslasarte:replace-pat-with-github-app
Jun 1, 2026
Merged

Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token#3851
madolson merged 4 commits into
valkey-io:unstablefrom
jjuleslasarte:replace-pat-with-github-app

Conversation

@jjuleslasarte

Copy link
Copy Markdown
Contributor

Use actions/create-github-app-token to generate a scoped installation token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 114b9056-370a-4110-9af1-0034805e13aa

📥 Commits

Reviewing files that changed from the base of the PR and between 2d43353 and 3ee5ebb.

📒 Files selected for processing (1)
  • .github/workflows/trigger-build-release.yml

📝 Walkthrough

Walkthrough

The pull request updates the build-release trigger workflow to use GitHub App token authentication instead of a static personal access token. A new step generates an installation token from bot app credentials, and the repository-dispatch step now references this dynamically generated token.

Changes

CI Dispatch Authentication

Layer / File(s) Summary
GitHub App token generation and dispatch authentication
.github/workflows/trigger-build-release.yml
New step generates installation token via actions/create-github-app-token using VALKEYRIE_BOT_APP_ID and VALKEYRIE_BOT_PRIVATE_KEY. The repository-dispatch step is updated to use the generated token output instead of the static secrets.AUTOMATION_PAT.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and accurately summarizes the main change: replacing AUTOMATION_PAT with a Valkeyrie Bot GitHub App token in the workflow.
Description check ✅ Passed The description is directly related to the changeset, explaining the purpose of using a scoped installation token and referencing the related GitHub issue.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/trigger-build-release.yml:
- Around line 43-50: The "Generate token" step uses
actions/create-github-app-token without scoping permissions; update the step
(the job step named "Generate token" that calls
actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 and
supplies app-id, private-key, owner, repositories) to include explicit
least-privilege permissions by adding a permission input such as
permission-contents: write (or other minimal permission required for the
subsequent repository_dispatch) under the with block so the created token is
constrained to only the needed permissions.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 55f69036-17a3-40a6-8fd0-c5d93abd14fc

📥 Commits

Reviewing files that changed from the base of the PR and between 8ee3fd7 and aaa7ee6.

📒 Files selected for processing (1)
  • .github/workflows/trigger-build-release.yml

Comment thread .github/workflows/trigger-build-release.yml
@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.68%. Comparing base (01034bf) to head (34cfa8c).

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3851      +/-   ##
============================================
+ Coverage     76.61%   76.68%   +0.06%     
============================================
  Files           162      162              
  Lines         80694    80694              
============================================
+ Hits          61823    61877      +54     
+ Misses        18871    18817      -54     

see 19 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sarthakaggarwal97 sarthakaggarwal97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! Thanks @jjuleslasarte!

@roshkhatri roshkhatri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes looks good, but it makes it difficult to test the workflows with the app setup.
We shoudl use/generate the tokens when the wf is running on valkey-io org. This helps the developers test the workflows on their own repositories before PRs

@sarthakaggarwal97 sarthakaggarwal97 self-requested a review May 28, 2026 20:17
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
@jjuleslasarte jjuleslasarte requested a review from roshkhatri May 29, 2026 20:02
Add conditional to skip token generation when not running on the
valkey-io org, falling back to AUTOMATION_PAT. This allows developers
to test the workflow on their own forks/repositories before PRing.

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
\nSigned-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
@jjuleslasarte jjuleslasarte force-pushed the replace-pat-with-github-app branch from 55db301 to 3ee5ebb Compare May 29, 2026 20:02
@jjuleslasarte jjuleslasarte requested a review from madolson May 29, 2026 20:10

@roshkhatri roshkhatri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the changes @jjuleslasarte :)

@madolson madolson merged commit c15ecf1 into valkey-io:unstable Jun 1, 2026
63 checks passed
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 9.0 Jun 1, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 7.2 Jun 1, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 9.1 Jun 1, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 8.1 Jun 1, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 8.0 Jun 1, 2026
eifrah-aws pushed a commit to eifrah-aws/valkey that referenced this pull request Jun 2, 2026
…#3851)

Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 4, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
bandalgomsu pushed a commit to bandalgomsu/valkey that referenced this pull request Jun 4, 2026
…#3851)

Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 4, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 5, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 5, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 10, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
ranshid added a commit that referenced this pull request Jun 11, 2026
# Backport sweep for 9.1

Automated cherry-picks from PRs marked "To be backported".

## Applied

| Source PR | Title | Detail |
|---|---|---|
| #3743 | Fix buffered_reply assert in HFE commands with module keyspace
notifications | cherry-picked in a prior sweep |
| #3766 | Fix flaky block_keyspace_notification test for HGETDEL notify
race | cherry-picked in a prior sweep |
| #3800 | Fix heap-use-after-free in ACL LOAD when client free is
deferred | cherry-picked in a prior sweep |
| #3723 | Fix double-finish and RESP reply violation in cluster slot
migration | cherry-picked in a prior sweep |
| #3872 | Redacting customer information when hide_user_data_from_log is
true in rdb.c, networking.c, debug.c and t_hash | cherry-picked in a
prior sweep |
| #3846 | Fix use-after-free in VM_RegisterClusterMessageReceiver |
cherry-picked in a prior sweep |
| #3806 | Add ALL_DBS flag to CLUSTER FLUSHSLOT for database-level ACL |
cherry-picked in a prior sweep |
| #3847 | Harden SENTINEL commands and config rewrite against
control-character injection | |
| #3801 | Validate every DB clause in COPY against ACL db= permissions |
|
| #3851 | Replace AUTOMATION_PAT with Valkeyrie Bot GitHub App token | |
| #3848 | Fix cluster AUX-field control-character and delimiter
injection | |
| #3544 | Revert "IO-Threads redesign cleanup work (#3544)" |
cherry-picked in a prior sweep |
| #3888 | Report exact dbid for COPY in ACL LOG when db= access is
denied | conflicts resolved by Claude Code |
| #3942 | Fix shard_id format specifier in UPDATE message log |  |
| #3941 | Avoid random() % 0 undefined behaviour when
cluster-node-timeout < 30 | |

---
*Generated by valkey-ci-agent using Claude Code.*

---------

Signed-off-by: Binbin <binloveplay1314@qq.com>
Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
Signed-off-by: chx9 <lovelypiska@outlook.com>
Signed-off-by: zackcam <zackcam@amazon.com>
Signed-off-by: Eran Ifrah <eifrah@amazon.com>
Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Signed-off-by: akash kumar <akumdev@amazon.com>
Co-authored-by: Binbin <binloveplay1314@qq.com>
Co-authored-by: Ran Shidlansik <ranshid@amazon.com>
Co-authored-by: lovelypiska <lovelypiska@outlook.com>
Co-authored-by: zackcam <zackcam@amazon.com>
Co-authored-by: eifrah-aws <eifrah@amazon.com>
Co-authored-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Co-authored-by: Akash Kumar <45854686+akashkgit@users.noreply.github.com>
@sarthakaggarwal97 sarthakaggarwal97 moved this from To be backported to Done in Valkey 9.1 Jun 15, 2026
sarthakaggarwal97 pushed a commit that referenced this pull request Jun 17, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
@valkeyrie-ops valkeyrie-ops Bot moved this from To be backported to Done in Valkey 7.2 Jun 17, 2026
sarthakaggarwal97 pushed a commit that referenced this pull request Jun 18, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
@valkeyrie-ops valkeyrie-ops Bot moved this from To be backported to Done in Valkey 8.0 Jun 18, 2026
valkeyrie-ops Bot pushed a commit that referenced this pull request Jun 21, 2026
Use actions/create-github-app-token to generate a scoped installation
token for valkey-release-automation instead of the broad AUTOMATION_PAT.

Part of valkey-io/valkey-release-automation#53

---------

Signed-off-by: Jules Lasarte <lasartej@amazon.com>
Signed-off-by: jjuleslasarte <jules.lasarte@gmail.com>
Co-authored-by: Jules Lasarte <lasartej@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done
Status: Done
Status: To be backported
Status: To be backported
Status: Done

Development

Successfully merging this pull request may close these issues.

5 participants