Eigenoid (Releaser Bot)
Authors GitHub Releases for the distribution pipeline. When the release workflow runs, it uses this bot's token so that releases appear as authored by eigenoid-releaser-bot[bot] instead of github-actions[bot].
In short
Credential-only bot (Type A) -- it has no code of its own. It exists to give automated releases a recognizable identity separate from the automation bot (which handles tagging) and the settings bot (which handles governance).
Technical details
| Field | Value |
|---|---|
| Type | A (credential-only -- no code) |
| Client ID | Iv23liwfoqlPK3A771v5 |
| Slug | eigenoid-releaser-bot |
| Installation | Entire org (repository_selection: all) |
| Runtime | None -- only dispenses tokens for release workflows |
| Cost | $0 (no infrastructure) |
Permissions (Repository)
| Permission | Level | Reason |
|---|---|---|
| Contents | Read & Write | Create GitHub Releases and upload release assets |
| Metadata | Read | Base permission required by GitHub |
Usage in workflows
The release workflow generates an ephemeral token to pass to softprops/action-gh-release:
- name: Generate releaser token
id: releaser-token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
with:
client-id: ${{ vars.RELEASER_BOT_CLIENT_ID }}
private-key: ${{ secrets.RELEASER_BOT_PRIVATE_KEY }}
- name: Create GitHub Release
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
token: ${{ steps.releaser-token.outputs.token }}
prerelease: ${{ env.IS_PRERELEASE }}
Credentials stored at org level
| Name | Type | Visibility |
|---|---|---|
RELEASER_BOT_CLIENT_ID | Variable | All repositories |
RELEASER_BOT_PRIVATE_KEY | Secret | All repositories |
Workflows that use it
| Workflow | Repo | Purpose |
|---|---|---|
release.yml | eigenoid-sample | Creates GitHub Releases for Python package versions |
release.yml | eigenoid | Creates GitHub Releases for core framework versions |
How it fits with other bots
| Step | Bot | Why |
|---|---|---|
Push to dev/qa/main | -- | Developer action |
| Auto-tag (create git tag) | Automation Bot | Tags must be created by a non-GITHUB_TOKEN identity to trigger workflows |
| Release (create GitHub Release) | Releaser Bot | Releases appear under a dedicated identity |
| Publish to Artifact Registry | -- | WIF authentication (no bot needed) |
Private key rotation
- Go to github.com/organizations/eigenoid/settings/apps/eigenoid-releaser-bot and navigate to Private keys.
- Click Generate a private key and download the new
.pemfile. - Update the
RELEASER_BOT_PRIVATE_KEYorg secret in GitHub Settings > Secrets and variables > Actions. - Delete the old key on the app page under Private keys.
- Verify: push a version bump to a dev branch and confirm the release is created by
eigenoid-releaser-bot[bot].
Human owner
@shoootyou is responsible for this App. Contact them for permission changes, installations, or incidents.