chore: switch deploy to GitHub App token and gate recursive runs

[mahmoud-elmorabea]

Overview

Migrate the Deploy SDK workflow to authenticate with the cio-mobile-release GitHub App so it can be the sole bypass actor on a forthcoming main ruleset (replacing classic branch protection). Without these workflow changes, locking down main would reject semantic-release's prepare-commit and tag push with GH013.

What changed

1. .github/workflows/deploy-sdk.yml

   • Replaced deprecated tibdex/github-app-token@v2.1.0 (Node 20 EOL) with actions/create-github-app-token@v3.1.1 (SHA-pinned, Node 24).
   • Switched from the deprecated app-id input to client-id — needs a new repo secret CIO_APP_CLIENT_ID. Existing CIO_APP_SECRET (PEM) is reused for private-key.
   • Critical: added with: token: ${{ steps.generate_token.outputs.token }} to actions/checkout. By default checkout persists GITHUB_TOKEN (= github-actions[bot]) into local git config, and any later git push (including the one inside @semantic-release/git) uses those credentials regardless of the env var passed to semantic-release. That's the most common cause of GH013 after wiring an App token.
   • Token is generated before checkout so checkout consumes it.

2. .releaserc.json

   • Added a CI-skip directive to the @semantic-release/git commit message template. App pushes don't get GitHub's recursion guard (which only suppresses GITHUB_TOKEN pushes), so without this each release would spawn a redundant deploy run on the prepare-commit.

Required pre-merge actions (repo admin)

• Add repo secret CIO_APP_CLIENT_ID = the App's Client ID (the Iv23li... string from https://github.com/organizations/customerio/settings/apps/cio-mobile-release).
• Confirm the cio-mobile-release App is installed on this repo with Contents: Read & write, Metadata: Read, Pull requests: Read & write, and Workflows: Read & write (the last one is needed because release-prep commits may touch workflow files via assets).

Required post-merge actions (repo admin)

• Settings -> Rules -> Rulesets -> New branch ruleset targeting main (and beta if used):
  • Enforcement: Active
  • Bypass list: add cio-mobile-release App, mode = Always (not "For pull requests only" — that mode rejects direct git push).
  • Rules: require PR (1+ approvals), require status checks, block force-pushes, require linear history, restrict deletions.
• Trigger a release; confirm the prepare-commit lands on main with pusher cio-mobile-release[bot].
• Once verified, remove the legacy classic branch protection rule on main (Settings -> Branches).
• (Optional cleanup) Delete unused CIO_APP_ID numeric secret.

Test plan

• Wait for a release-triggering merge into main.
• Verify Deploy SDK workflow generates an App token without warnings.
• Verify the prepare-commit and git tag are pushed by cio-mobile-release[bot] (not github-actions[bot]).
• Verify no recursive Deploy SDK run is queued for the prepare-commit (CI-skip directive applied).
• Maven Central deploy job runs as before.

🤖 Generated with Claude Code

---

Note

Medium Risk
Changes release automation authentication and git push credentials, which can block tagging/releases if misconfigured (new secret required) or if token handling differs from previous action.

Overview
Updates the Deploy SDK GitHub Actions workflow to authenticate via a GitHub App installation token and uses that token for both actions/checkout and semantic-release pushes, replacing the prior token action.

Adjusts the @semantic-release/git prepare-commit message to include [skip ci] to prevent the release-prep commit from triggering a recursive deploy run.

^{Reviewed by Cursor Bugbot for commit 104b072. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Sample app builds 📱

Below you will find the list of the latest versions of the sample apps. It's recommended to always download the latest builds of the sample apps to accurately test the pull request.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.00%. Comparing base (b5cf24d) to head (104b072).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #681      +/-   ##
============================================
- Coverage     69.07%   68.00%   -1.07%     
- Complexity      838      848      +10     
============================================
  Files           149      155       +6     
  Lines          4601     4695      +94     
  Branches        628      641      +13     
============================================
+ Hits           3178     3193      +15     
- Misses         1189     1264      +75     
- Partials        234      238       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

• kotlin_compose: mbl-app-bypass-migration (1778235778)

[github-actions]

• java_layout: mbl-app-bypass-migration (1778235786)

[github-actions]

📏 SDK Binary Size Comparison Report

No changes detected in SDK binary size ✅

[github-actions]

Build available to test
Version: mbl-app-bypass-migration-SNAPSHOT
Repository: https://central.sonatype.com/repository/maven-snapshots/

[mrehan27]

Does this mean the build triggered on main during release won't include changes from this commit (e.g., the SDK version update), since CI would run on the previous commit instead of the latest one? Or did I misunderstood this?