Problem
Release-please uses GITHUB_TOKEN to create its PR, which means the PR author is github-actions[bot]. This causes two issues:
-
Self-approval deadlock: The auto-approve workflow also runs as github-actions[bot] (via GITHUB_TOKEN), so GitHub rejects the approval with "Can not approve your own pull request." Any commit pushed to a release-please PR that dismisses a stale human review leaves the PR stuck.
-
Event suppression: Pushes made by GITHUB_TOKEN do not trigger pull_request events (GitHub security feature). This means CI and auto-approve never run automatically on release-please PR updates; they must be triggered manually.
Both issues were hit on PR #69 (v0.0.1 release). The workaround was disabling require_last_push_approval in the ruleset and re-approving manually.
Solution
Use a dedicated GitHub App token for release-please, matching the pattern in coolify-terraform/terraform-provider-coolify. This is already documented in our ci-branch-protection skill ("Caveat: release-please PRs and the identity separation fix").
Steps
1. Create the GitHub App
- Go to the patchloom org Settings > Developer settings > GitHub Apps > New GitHub App
- Name:
patchloom-auto-approve (or similar)
- Homepage URL:
https://github.com/patchloom
- Uncheck Webhook (Active) since no webhook endpoint is needed
- Permissions:
- Repository permissions > Contents: Read and write (create tags and releases)
- Repository permissions > Pull requests: Read and write (create and update release PRs)
- Where can this GitHub App be installed? Only on this account
- Create the App
2. Generate a private key
- On the App settings page, scroll to "Private keys" and click "Generate a private key"
- Download the
.pem file
3. Install the App on patchloom repos
- On the App settings page, click "Install App" in the sidebar
- Install on the
patchloom org
- Select repositories: at minimum
patchloom-vscode, optionally all repos that use release-please
4. Store credentials as repo secrets/variables
# Store the Client ID as a repository variable
gh variable set AUTO_APPROVE_CLIENT_ID \
--repo patchloom/patchloom-vscode \
--body "<client-id-from-app-settings>"
# Store the private key as a repository secret
gh secret set AUTO_APPROVE_PRIVATE_KEY \
--repo patchloom/patchloom-vscode \
--body "$(cat path/to/private-key.pem)"
Repeat for patchloom/patchloom if it uses release-please.
5. Update release.yml
Add the App token step before release-please and pass the token:
release-please:
steps:
- uses: step-security/harden-runner@...
with:
egress-policy: audit
- uses: actions/create-github-app-token@v3
id: app-token
with:
client-id: ${{ vars.AUTO_APPROVE_CLIENT_ID }}
private-key: ${{ secrets.AUTO_APPROVE_PRIVATE_KEY }}
- uses: googleapis/release-please-action@v4
id: release
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
token: ${{ steps.app-token.outputs.token }}6. Update auto-approve.yml
Two changes:
a) Switch from github.event.pull_request.user.login to github.actor (per ci-branch-protection skill recommendation):
if: >
github.actor == 'SebTardif' ||
github.actor == 'dependabot[bot]' ||
github.actor == 'patchloom-auto-approve[bot]'
b) Include the App bot identity in the trusted actor list (replace patchloom-auto-approve[bot] with the actual App slug).
7. Re-enable require_last_push_approval
Once the App is in place, re-enable this ruleset setting:
gh api repos/patchloom/patchloom-vscode/rulesets/17289136 \
--method PUT --input - <<EOF
{
"rules": [
{
"type": "pull_request",
"parameters": {
"require_last_push_approval": true,
"dismiss_stale_reviews_on_push": true,
"require_code_owner_review": false,
"required_approving_review_count": 1,
"required_review_thread_resolution": false
}
}
]
}
EOF8. Test
- Push a commit to main to trigger release-please
- Verify the release PR is created by
patchloom-auto-approve[bot] (not github-actions[bot])
- Verify CI triggers on the release PR automatically
- Verify auto-approve approves and enables auto-merge
Reference
Problem
Release-please uses
GITHUB_TOKENto create its PR, which means the PR author isgithub-actions[bot]. This causes two issues:Self-approval deadlock: The auto-approve workflow also runs as
github-actions[bot](viaGITHUB_TOKEN), so GitHub rejects the approval with "Can not approve your own pull request." Any commit pushed to a release-please PR that dismisses a stale human review leaves the PR stuck.Event suppression: Pushes made by
GITHUB_TOKENdo not triggerpull_requestevents (GitHub security feature). This means CI and auto-approve never run automatically on release-please PR updates; they must be triggered manually.Both issues were hit on PR #69 (v0.0.1 release). The workaround was disabling
require_last_push_approvalin the ruleset and re-approving manually.Solution
Use a dedicated GitHub App token for release-please, matching the pattern in coolify-terraform/terraform-provider-coolify. This is already documented in our
ci-branch-protectionskill ("Caveat: release-please PRs and the identity separation fix").Steps
1. Create the GitHub App
patchloom-auto-approve(or similar)https://github.com/patchloom2. Generate a private key
.pemfile3. Install the App on patchloom repos
patchloomorgpatchloom-vscode, optionally all repos that use release-please4. Store credentials as repo secrets/variables
Repeat for
patchloom/patchloomif it uses release-please.5. Update release.yml
Add the App token step before release-please and pass the token:
6. Update auto-approve.yml
Two changes:
a) Switch from
github.event.pull_request.user.logintogithub.actor(per ci-branch-protection skill recommendation):b) Include the App bot identity in the trusted actor list (replace
patchloom-auto-approve[bot]with the actual App slug).7. Re-enable require_last_push_approval
Once the App is in place, re-enable this ruleset setting:
8. Test
patchloom-auto-approve[bot](notgithub-actions[bot])Reference
ci-branch-protection(lines 44-91, "Caveat: release-please PRs and the identity separation fix")