From e201e6ec266afee6704e3ff01e000943f22b2605 Mon Sep 17 00:00:00 2001 From: kulesy Date: Thu, 14 May 2026 11:26:01 +1000 Subject: [PATCH] ci: switch release bot token generation to client-id MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The publish job has been failing with "A JSON web token could not be decoded" since the `BOT_APP_ID` secret value was swapped to the App's Client ID (Iv23li…). `actions/create-github-app-token@v3`'s `app-id` input is deprecated and only accepts numeric App IDs, so a Client ID passed as `app-id` produces an invalid JWT issuer claim. Switch to the `client-id` input to match the secret's current value. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1ae5155..2c517f5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -73,10 +73,9 @@ jobs: id: generate-token with: # uses https://github.com/organizations/tinacms/settings/apps/release-bot-allow-prs-and-push - # TODO: migrate to `client-id` once the BOT_APP_ID secret value is confirmed/swapped - # to the App's Client ID (Iv23li…). `app-id` is deprecated in v3 but still accepted; - # see https://github.com/organizations/tinacms/settings/apps/release-bot-allow-prs-and-push - app-id: ${{ secrets.BOT_APP_ID }} + # BOT_APP_ID holds the App's Client ID (Iv23li…), so use `client-id`. `app-id` is + # deprecated in v3 and rejects non-numeric values, which broke the publish job. + client-id: ${{ secrets.BOT_APP_ID }} private-key: ${{ secrets.BOT_APP_SECRET }} - uses: actions/checkout@v6