feat(release-please): read org credentials so secrets: inherit works#16
Merged
Merged
Conversation
The reusable workflow already supported app-client-id and app-private-key as explicit secret inputs, but every consumer caller in the org omitted them, so release-please always fell back to GITHUB_TOKEN. PRs opened by GITHUB_TOKEN don't trigger downstream pull_request workflows (GitHub anti-recursion), which left release PRs un-mergeable on repos with required checks. Resolve the App credentials from the org-level variable RELEASE_PLEASE_CLIENT_ID and the org-level secret RELEASE_PLEASE_PRIVATE_KEY when no explicit inputs are given. Org variables auto-inherit into same-org reusable workflows, and `secrets: inherit` on the caller forwards the secret. Declare RELEASE_PLEASE_PRIVATE_KEY in workflow_call.secrets so actionlint accepts the reference; callers should not pass it explicitly. Also add `secrets: inherit` to this repo's own release-please.yml caller so its own release PRs trigger downstream workflows. Assisted-by: Claude Code
Contributor
Author
Tested against release-please-testPointed Run: https://github.com/openCoreEMR/release-please-test/actions/runs/26168197740 The mint step resolved both credentials from the org-level fallbacks:
|
This was referenced May 20, 2026
ci(release-please): pin reusable @1.0.0 and use
secrets: inherit
openCoreEMR/oce-cli-import-codes#60
Merged
ci(release-please): pin reusable @1.0.0 and use
secrets: inherit
openCoreEMR/oce-cli-manage-users#51
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vars.RELEASE_PLEASE_CLIENT_IDandsecrets.RELEASE_PLEASE_PRIVATE_KEYwhen callers don't pass them explicitly, so consumers can simply usesecrets: inherit.secrets: inheritto this repo's ownrelease-please.ymlso its release PRs also get App-minted tokens.Why
The reusable workflow already accepted
app-client-id/app-private-keyas explicit secret inputs, but every consumer caller in the org omitted them, so release-please always fell back toGITHUB_TOKEN. PRs opened byGITHUB_TOKENdon't trigger downstreampull_requestworkflows (GitHub anti-recursion), which left release PRs un-mergeable on repos with required checks (e.g. openCoreEMR/oce-module-cardinal-ui#245).Example failing PR: openCoreEMR/oce-module-cardinal-ui#245 — author shows
app/github-actions, no downstream workflows ran.Test plan
actionlintclean on both workflow filesoce-release-please[bot](notgithub-actions[bot]) and that downstream checks run on itsecrets: inheritto all 26 consumer repos pinning the new tag