ci: fix release-plz detached-HEAD failure and app-id deprecation

[boorad]

Summary

Fixes the failing release-plz-release and release-plz-pr jobs on main (run #45) and clears the four Input 'app-id' has been deprecated warnings that were on every release-plz/release-binaries run.

Background

PR #63 set ref: ${{ github.sha }} on the release-plz checkouts per a CodeRabbit suggestion. CodeRabbit's underlying concern was real (the prior ref: main would resolve to a moving branch tip), but the suggested fix has a side effect: actions/checkout with ref: <sha> performs git checkout --force <sha>, leaving HEAD detached. release-plz then runs git rev-parse --abbrev-ref --symbolic-full-name @{upstream} and bails with fatal: HEAD does not point to a branch.

Removing the explicit ref: is the right fix: actions/checkout defaults to git fetch +<github.sha>:refs/remotes/origin/main followed by git checkout -B main <github.sha>. That yields a branch HEAD pinned to the triggering commit — same commit-pinning guarantee CodeRabbit was after, without the detached-HEAD side effect.

Changes

• .github/workflows/release-plz.yml: drop ref: ${{ github.sha }} from both actions/checkout@v6 steps so HEAD lands on the main branch (still pinned to github.sha).
• .github/workflows/release-plz.yml (×2) and .github/workflows/release-binaries.yml (×1): rename app-id: → client-id: on actions/create-github-app-token@v3.1.1. The input was renamed upstream; existing RELEASE_PLZ_APP_ID secret value continues to work unchanged.

Test plan

• actionlint .github/workflows/release-plz.yml .github/workflows/release-binaries.yml
• Merge → next push to main triggers release-plz; both jobs should complete without fatal: HEAD does not point to a branch
• Annotations panel should no longer surface the 'app-id' has been deprecated warnings

Checklist

• PR title uses a Conventional Commits prefix
• Commit is signed off (DCO)
• Tests added or updated where appropriate (n/a — workflow-only)
• User-visible changes reflected in README.md / docs (n/a)

Summary by CodeRabbit

• Chores
  • Updated internal release workflow configurations to use the latest GitHub App token generation method and simplified deployment step parameters.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8376d374-29dd-4a67-9eae-43c591d4f819

📥 Commits

Reviewing files that changed from the base of the PR and between e224bac and 8f9ce37.

📒 Files selected for processing (2)

• .github/workflows/release-binaries.yml
• .github/workflows/release-plz.yml

---

📝 Walkthrough

Walkthrough

The PR updates GitHub Actions release workflows to use client-id instead of app-id when calling actions/create-github-app-token, and removes an explicit ref parameter from checkout steps in the release-plz workflows, reflecting API changes in the GitHub App token action.

Changes

GitHub Actions Token and Checkout Configuration

Layer / File(s)	Summary
Action API Parameter Update .github/workflows/release-binaries.yml, .github/workflows/release-plz.yml	actions/create-github-app-token input changed from app-id to client-id across token-generation steps in both release and Homebrew tap workflows.
Checkout Step Simplification .github/workflows/release-plz.yml	actions/checkout@v6 steps in release-plz-release and release-plz-pr jobs remove explicit ref: ${{ github.sha }} while retaining fetch-depth: 0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• EnforceAuth/zift#43: Modifies the same actions/create-github-app-token invocation in release workflows.
• EnforceAuth/zift#24: Updates GitHub App token generation in release-plz workflows; this PR refines the action input parameter names.

Poem

🐰 A token by any other name flows the same,
From app-id to client-id, the action's API came,
Checkouts simplified, refs made lean,
Release workflows now pristine! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the two main changes: fixing the release-plz detached-HEAD failure and addressing the app-id deprecation warning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

The workflow changes correctly address both the detached-HEAD failure and the app-id deprecation warnings. The removal of explicit ref: parameters allows actions/checkout to use its default behavior that creates branch references pinned to github.sha, and the app-id → client-id parameter rename aligns with the upstream API changes. No blocking issues identified.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.