fix(ci): auth actions/checkout as bot because it is used for subsequent ops [MEC-2423]

[Jared Jolton (jjolton-contentful)]

Purpose of PR

actions/checkout without a token uses the default GITHUB_TOKEN (which belongs to github-actions[bot])

This token gets embedded in the .git/config remote URL.

When @semantic-release/git runs git push, it uses whatever credentials are in the git config

GitHub sees the push as coming from github-actions[bot], which is not on the bypass list

PR Checklist

• Tests are added/updated/not required
• Tests are passing
• Typescript typings are added/updated/not required

Summary by CodeRabbit

• Chores
  • Updated release workflow to perform an authenticated checkout using a token retrieved from the secure vault.
  • Added an automated bot user lookup and basic validation to obtain the identity used for commits.
  • Configures Git author credentials from the retrieved bot identity for release commits.
  • Reactivated package publishing credentials setup to work with the new token flow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Modifies the GitHub Actions release workflow to pass a Vault-provided GITHUB_TOKEN into checkout, re-enables fetching the automation bot user ID via the GitHub API with validation, configures git user.name/email from that bot ID, and preserves npmrc-based publishing steps.

Changes

Cohort / File(s)	Summary
GitHub Actions Release Workflow /.github/workflows/release.yaml	Reintroduces an explicit checkout step that uses a GITHUB_TOKEN sourced from Vault; adds an active step to fetch the automation bot user ID via the GitHub API with basic validation and error handling; configures git user.name and git user.email from the bot ID; enables npmrc publishing setup.

Sequence Diagram(s)

sequenceDiagram
    participant GH_Actions as GitHub Actions (workflow)
    participant Vault as Vault
    participant Checkout as actions/checkout
    participant GH_API as GitHub REST API
    participant Git as git (local runner)
    participant NPM as npm publish

    rect rgb(235,245,255)
    GH_Actions->>Vault: request GITHUB_TOKEN secret
    Vault-->>GH_Actions: GITHUB_TOKEN
    end

    rect rgb(245,255,235)
    GH_Actions->>Checkout: checkout repo (token=GITHUB_TOKEN)
    Checkout-->>GH_Actions: workspace ready
    end

    rect rgb(255,245,235)
    GH_Actions->>GH_API: GET /user (using token) -> bot user info
    GH_API-->>GH_Actions: bot_user.login / id
    GH_Actions->>GH_Actions: validate bot ID
    end

    GH_Actions->>Git: git config user.name (bot login)
    GH_Actions->>Git: git config user.email (bot+no-reply)
    GH_Actions->>NPM: enable ~/.npmrc (auth from Vault)
    GH_Actions->>NPM: npm publish
    NPM-->>GH_Actions: publish result

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• fix: use hashicorp vault step [EXT-7068] #2400 — Modifies the same release.yaml to change Vault/GITHUB_TOKEN retrieval and bot user ID handling.
• fix: MEC-2423 fix token passing for release #2417 — Alters the release workflow token and git identity flow; closely related to token/bot changes.
• fix: add vault step to release github action to retrieve token for version bump in git [EXT-7068] #2398 — Also integrates Vault-provided tokens into the release workflow; overlaps with this PR's token sourcing.

Suggested reviewers

• tylerwashington888
• BobHemphill76

Poem

🐰 From vault I fetched a gleam, a token snug and bright,
I hopped to checkout, fetched the bot, and set my name just right.
With npm tuned and commits aligned, the release hops on cue —
A little rabbit's cheer: smooth publish, through and through! 🐇✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: authenticating actions/checkout with a bot token to ensure proper credentials are used for subsequent operations like git push.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4a26031 and 9790339.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yaml

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• MEC-2423: Request failed with status code 404

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yaml (1)

46-55: Consider extracting the bot name to an environment variable.

The bot name contentful-automation[bot] is hardcoded in lines 48 and 54. Extracting it to a variable would improve maintainability and reduce the risk of inconsistencies if the bot name needs to change.

🔎 Proposed refactor

+      - name: Set bot name
+        id: bot-config
+        run: echo "name=contentful-automation[bot]" >> "$GITHUB_OUTPUT"
+
       - name: Get Automation Bot User ID
         id: get-user-id
-        run: echo "user-id=$(gh api "/users/contentful-automation[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        run: |
+          USER_ID=$(gh api "/users/${{ steps.bot-config.outputs.name }}" --jq .id)
+          if [ -z "$USER_ID" ] || [ "$USER_ID" = "null" ]; then
+            echo "Error: Failed to retrieve bot user ID"
+            exit 1
+          fi
+          echo "user-id=$USER_ID" >> "$GITHUB_OUTPUT"
         env:
           GITHUB_TOKEN: ${{ steps.vault.outputs.GITHUB_TOKEN }}
 
       - name: Setting up Git User Credentials
         run: |
-          git config --global user.name 'contentful-automation[bot]'
-          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+contentful-automation[bot]@users.noreply.github.com'
+          git config --global user.name '${{ steps.bot-config.outputs.name }}'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.bot-config.outputs.name }}@users.noreply.github.com'

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 22890e5 and 4a26031.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

🔇 Additional comments (2)

.github/workflows/release.yaml (2)

39-44: Checkout configuration correctly uses Vault-sourced token for authentication.

The actions/checkout@v6 action is available and stable. The checkout step appropriately addresses the authentication issue by using the Vault token, which will be embedded in the git remote URL for subsequent operations. The ref logic correctly handles both workflow_run and workflow_dispatch triggers.

---

52-55: Verify email consistency between git config and Vault.

The constructed email format {user-id}+contentful-automation[bot]@users.noreply.github.com follows GitHub's standard bot convention. However, this email (set in git config on line 55) may differ from GH_USER_EMAIL stored in Vault (used by semantic-release on lines 88-91). Since semantic-release uses environment variables that take precedence over git config, commits could be attributed to different email addresses depending on the operation if these values don't match.

Confirm that the Vault secret secret/data/github/automation-app-user stores GH_USER_EMAIL in the same format as the constructed email to ensure consistent commit attribution.

[contentful-automation]

🎉 This PR is included in version 4.49.0 🎉

The release is available on:

• v4.49.0
• GitHub release

Your semantic-release bot 📦🚀