Problem
In multi-repo orchestration, a downstream repo may need to pull the CLI from a private source (a central repo's release assets) or trigger downstream workflows in another repo. Both need elevated, cross-repo auth that the default per-repo GITHUB_TOKEN can't grant.
For single-repo and public OSS use this is a non-issue — the stock GITHUB_TOKEN works with zero extra setup. This is strictly the opt-in elevated-auth path.
Current state
The config abstraction already exists: the release_token: manifest field (resolved via the release-token accessor) defaults to ${{ secrets.GITHUB_TOKEN }}. Setting it to a custom secret expression already overrides the token used on release operations.
Proposed
Make the elevated-auth path first-class and documented:
- PAT name option: document and validate setting
release_token: to a custom PAT secret expression for the private-source / cross-repo case.
- GitHub App option: support minting a short-lived installation token via
actions/create-github-app-token and feeding it to the release/setup-cli steps, so adopters can avoid long-lived PATs.
- Document when each is needed: pulling the CLI from a private central repo, or auto-triggering downstream repos in a satellite topology.
Impact
Additive and opt-in — the default stays GITHUB_TOKEN. Unblocks private-source multi-repo orchestration without long-lived PATs. Zero schema risk; lands post-1.0.
Problem
In multi-repo orchestration, a downstream repo may need to pull the CLI from a private source (a central repo's release assets) or trigger downstream workflows in another repo. Both need elevated, cross-repo auth that the default per-repo
GITHUB_TOKENcan't grant.For single-repo and public OSS use this is a non-issue — the stock
GITHUB_TOKENworks with zero extra setup. This is strictly the opt-in elevated-auth path.Current state
The config abstraction already exists: the
release_token:manifest field (resolved via the release-token accessor) defaults to${{ secrets.GITHUB_TOKEN }}. Setting it to a custom secret expression already overrides the token used on release operations.Proposed
Make the elevated-auth path first-class and documented:
release_token:to a custom PAT secret expression for the private-source / cross-repo case.actions/create-github-app-tokenand feeding it to the release/setup-cli steps, so adopters can avoid long-lived PATs.Impact
Additive and opt-in — the default stays
GITHUB_TOKEN. Unblocks private-source multi-repo orchestration without long-lived PATs. Zero schema risk; lands post-1.0.