From dd7f6650d7653b2110bd54d7bcd7d65df9ca8d91 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 11 Feb 2026 10:19:00 +0000 Subject: [PATCH 1/2] ci: Switch from SENTRY_RELEASE_BOT to SENTRY_INTERNAL_APP Replace SENTRY_RELEASE_BOT_CLIENT_ID/SENTRY_RELEASE_BOT_PRIVATE_KEY references with SENTRY_INTERNAL_APP_ID/SENTRY_INTERNAL_APP_PRIVATE_KEY across workflows and docs. The auto-approve actor check now accepts both sentry-release-bot[bot] and getsantry[bot] to support the transition period. --- .github/workflows/auto-approve.yml | 6 +++--- .github/workflows/publish.yml | 8 ++++---- README.md | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index dd8add0..4f252d9 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -10,7 +10,7 @@ jobs: auto-approve: runs-on: ubuntu-latest if: | - github.actor == 'sentry-release-bot[bot]' && + (github.actor == 'sentry-release-bot[bot]' || github.actor == 'getsantry[bot]') && startsWith(github.event.issue.title, 'publish: ') steps: - uses: actions/checkout@v4 @@ -21,8 +21,8 @@ jobs: id: token uses: actions/create-github-app-token@v2.2.1 with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }} + private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }} - name: Auto-approve if repo is in the list env: GH_TOKEN: ${{ steps.token.outputs.token }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 86c3b53..e3646ce 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -62,12 +62,12 @@ jobs: echo 'taking craft config from branch ${{ fromJSON(steps.inputs.outputs.result).merge_target }} in ${{ fromJSON(steps.inputs.outputs.result).repo }}' echo 'target_repo_branch=${{ fromJSON(steps.inputs.outputs.result).merge_target }}' >> "$GITHUB_OUTPUT" - - name: Get Release Bot auth token + - name: Get auth token id: token uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: - app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} - private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} + app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }} + private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }} owner: getsentry # create token that have access to all repos - uses: actions/checkout@v6 @@ -110,7 +110,7 @@ jobs: GITHUB_TOKEN: ${{ steps.token.outputs.token }} # We need to use separate tokens for GHCR.IO and GitHub API access # Because we can only access ghcr.io with GITHUB_TOKEN but that token - # cannot do other cross-repo operations like our Release Bot App + # cannot do other cross-repo operations like our Internal App # Thanks GitHub DOCKER_GHCR_IO_USERNAME: x-access-token # for ghcr.io auth DOCKER_GHCR_IO_PASSWORD: ${{ secrets.GITHUB_TOKEN }} # for ghcr.io auth diff --git a/README.md b/README.md index 1152f46..bc4ad54 100644 --- a/README.md +++ b/README.md @@ -68,8 +68,8 @@ Automatic approvals are managed in the [`auto-approve.yml`](https://github.com/g ## Under the hood -The system uses [Craft](https://github.com/getsentry/craft) under the hood to prepare and publish releases. It uses tokens from [Sentry Release Bot](https://github.com/apps/sentry-release-bot) is a GitHub App that is installed on all repos in `getsentry` with read and write access to code, PRs, and actions. We utilize the [create-github-app-token](https://github.com/actions/create-github-app-token) to generate a short live token in every action run, with `SENTRY_RELEASE_BOT_CLIENT_ID` and `SENTRY_RELEASE_BOT_PRIVATE_KEY` defined at the organization level. +The system uses [Craft](https://github.com/getsentry/craft) under the hood to prepare and publish releases. It uses tokens from [Sentry Release Bot](https://github.com/apps/sentry-release-bot) is a GitHub App that is installed on all repos in `getsentry` with read and write access to code, PRs, and actions. We utilize the [create-github-app-token](https://github.com/actions/create-github-app-token) to generate a short live token in every action run, with `SENTRY_INTERNAL_APP_ID` and `SENTRY_INTERNAL_APP_PRIVATE_KEY` defined at the organization level. This repo is read-only for everyone except for release managers. This is because all sensitive secrets such as admin-level GitHub access tokens or package repository publishing tokens (npm, PyPI, cargo, etc.) are defined in this repository as secrets and anyone with write access can create or trigger an arbitrary GitHub action workflow, exposing these secrets without any indication. See getsentry/sentry#21930 for an example. -Due to the same reason above, [action-prepare-release](https://github.com/getsentry/action-prepare-release/) also utilizes tokens from Sentry Release Bot. This is to automatically create publish request issues from the action. We cannot use `GITHUB_TOKEN` for these actions as [GitHub prevents triggering more workflows via this token](https://docs.github.com/en/actions/reference/events-that-trigger-workflows). +Due to the same reason above, [action-prepare-release](https://github.com/getsentry/action-prepare-release/) also utilizes tokens from the Sentry Internal App. This is to automatically create publish request issues from the action. We cannot use `GITHUB_TOKEN` for these actions as [GitHub prevents triggering more workflows via this token](https://docs.github.com/en/actions/reference/events-that-trigger-workflows). From 862158e283ff207fcda28e6c26419911fd8985b2 Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 11 Feb 2026 10:20:37 +0000 Subject: [PATCH 2/2] ci: Revert README.md changes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bc4ad54..1152f46 100644 --- a/README.md +++ b/README.md @@ -68,8 +68,8 @@ Automatic approvals are managed in the [`auto-approve.yml`](https://github.com/g ## Under the hood -The system uses [Craft](https://github.com/getsentry/craft) under the hood to prepare and publish releases. It uses tokens from [Sentry Release Bot](https://github.com/apps/sentry-release-bot) is a GitHub App that is installed on all repos in `getsentry` with read and write access to code, PRs, and actions. We utilize the [create-github-app-token](https://github.com/actions/create-github-app-token) to generate a short live token in every action run, with `SENTRY_INTERNAL_APP_ID` and `SENTRY_INTERNAL_APP_PRIVATE_KEY` defined at the organization level. +The system uses [Craft](https://github.com/getsentry/craft) under the hood to prepare and publish releases. It uses tokens from [Sentry Release Bot](https://github.com/apps/sentry-release-bot) is a GitHub App that is installed on all repos in `getsentry` with read and write access to code, PRs, and actions. We utilize the [create-github-app-token](https://github.com/actions/create-github-app-token) to generate a short live token in every action run, with `SENTRY_RELEASE_BOT_CLIENT_ID` and `SENTRY_RELEASE_BOT_PRIVATE_KEY` defined at the organization level. This repo is read-only for everyone except for release managers. This is because all sensitive secrets such as admin-level GitHub access tokens or package repository publishing tokens (npm, PyPI, cargo, etc.) are defined in this repository as secrets and anyone with write access can create or trigger an arbitrary GitHub action workflow, exposing these secrets without any indication. See getsentry/sentry#21930 for an example. -Due to the same reason above, [action-prepare-release](https://github.com/getsentry/action-prepare-release/) also utilizes tokens from the Sentry Internal App. This is to automatically create publish request issues from the action. We cannot use `GITHUB_TOKEN` for these actions as [GitHub prevents triggering more workflows via this token](https://docs.github.com/en/actions/reference/events-that-trigger-workflows). +Due to the same reason above, [action-prepare-release](https://github.com/getsentry/action-prepare-release/) also utilizes tokens from Sentry Release Bot. This is to automatically create publish request issues from the action. We cannot use `GITHUB_TOKEN` for these actions as [GitHub prevents triggering more workflows via this token](https://docs.github.com/en/actions/reference/events-that-trigger-workflows).