Skip to content

Use docs-bot app token for generated changelog and CLI doc PRs#1537

Open
justinegeffen wants to merge 2 commits into
masterfrom
justine-bot-token-on-generated-prs
Open

Use docs-bot app token for generated changelog and CLI doc PRs#1537
justinegeffen wants to merge 2 commits into
masterfrom
justine-bot-token-on-generated-prs

Conversation

@justinegeffen

@justinegeffen justinegeffen commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Brings changelog-from-releases.yml and update-cli-docs.yml in line with the cross-repo content pipelines so generated PRs trigger downstream CI.

Problem

PRs created with secrets.GITHUB_TOKEN are authored by github-actions[bot]. GitHub deliberately does not fire downstream workflows from PRs opened by github-actions[bot] (it's the anti-recursion guard for cases where a workflow that writes also triggers itself). Net effect: every changelog PR and CLI doc PR landed without check-internal-links, pre-commit-check, or no-conflict-markers ever running on it.

The Platform → docs dispatch flows (update-permissions-docs.yml, update-audit-events-docs.yml) already use the docs-bot GitHub App token and don't have this problem. This PR extends the same pattern to the other two.

Changes

  • Add a Generate docs app token step (using actions/create-github-app-token@v3.0.0, same SHA used in the four existing workflows) wrapping DOCS_BOT_APP_ID / DOCS_BOT_APP_PRIVATE_KEY.
  • Pass that token to actions/checkout so git push inside generate-changelog.py authenticates as the bot, and to gh pr create / peter-evans/create-pull-request so the PR itself is opened by the bot.
  • Tighten changelog-from-releases.yml top-level permissions: — it no longer needs contents: write / pull-requests: write on GITHUB_TOKEN since the bot token handles both.

No secret changes required

DOCS_BOT_APP_ID and DOCS_BOT_APP_PRIVATE_KEY are already configured for the permissions and audit-events workflows. The docs-bot GitHub App is already installed on this repo with contents + pull request write.

Test plan

  • Manual-dispatch Changelogs workflow against seqeralabs/wave with a single release tag. Confirm the generated PR is authored by the docs-bot user and that check-internal-links, pre-commit-check, etc. fire on it.
  • Manual-dispatch Update CLI Documentation against a tower-cli release. Confirm the generated PR triggers downstream CI.
  • Confirm the existing permissions / audit-events PR flows still work (no change there, just sanity).

🤖 Generated with Claude Code

@justinegeffen @claude
Use docs-bot app token for generated changelog and CLI doc PRs
6074dc7 
PRs created with secrets.GITHUB_TOKEN are authored by github-actions[bot],
and GitHub deliberately does not trigger downstream workflows from those —
to prevent recursion. Net effect: changelog PRs from
changelog-from-releases.yml and CLI doc PRs from update-cli-docs.yml were
landing without check-internal-links, pre-commit-check, or
no-conflict-markers ever running on them.

Switch both workflows to the same docs-bot GitHub App token already used
by update-permissions-docs.yml and update-audit-events-docs.yml. Now
generated PRs are opened by the bot user and downstream CI runs as
expected.

- Add a "Generate docs app token" step that wraps
  actions/create-github-app-token with DOCS_BOT_APP_ID /
  DOCS_BOT_APP_PRIVATE_KEY (already configured in repo secrets).
- Use the token on actions/checkout so `git push` inside
  generate-changelog.py is authenticated as the bot.
- Pass the token to gh / peter-evans/create-pull-request for the PR
  itself.
- Tighten the changelog workflow's top-level permissions block now that
  it no longer needs write scopes on GITHUB_TOKEN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@netlify

netlify Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for seqera-docs ready!

Name Link
🔨 Latest commit e70fd07
🔍 Latest deploy log https://app.netlify.com/projects/seqera-docs/deploys/6a292facfa27910008abb238
😎 Deploy Preview https://deploy-preview-1537--seqera-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@justinegeffen justinegeffen added the 1. Dev/PM/SME Needs a review by a Dev/PM/SME label Jun 8, 2026
@justinegeffen
Merge branch 'master' into justine-bot-token-on-generated-prs
e70fd07 
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ewels ewels Awaiting requested review from ewels
@llewellyn-sl llewellyn-sl Awaiting requested review from llewellyn-sl

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

1. Dev/PM/SME Needs a review by a Dev/PM/SME

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justinegeffen