Skip to content

[Bug]: Release Please workflow fails due to org-level GITHUB_TOKEN restriction #165

Closed
#167
#166
Closed
[Bug]: Release Please workflow fails due to org-level GITHUB_TOKEN restriction#165
#167
#166
Labels
bugSomething isn't workingneeds-triageRequires triage and prioritization
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 12, 2026

Component

Scripts

Bug Description

The release-please workflow in main.yml fails with:

GitHub Actions is not permitted to create or approve pull requests

This is caused by an org-level enterprise policy that blocks GITHUB_TOKEN from creating pull requests. The setting "Allow GitHub Actions to create and approve pull requests" is greyed out at the repository level, indicating it's controlled at the enterprise/org level.

Expected Behavior

The release-please workflow should successfully create release PRs when changes are pushed to the main branch.

Steps to Reproduce

  1. Push a conventional commit to main branch
  2. Observe the release-please job in the CI workflow
  3. Job fails with "GitHub Actions is not permitted to create or approve pull requests"

Additional Context

Root Cause: Org-level policy blocks GITHUB_TOKEN from creating PRs.

Solution: Use a GitHub App token instead of GITHUB_TOKEN.

GitHub App Created: hve-core-release-please (ID: 2646666)

  • Already installed on microsoft org
  • Uses actions/create-github-app-token@v2

Fix PR: #167 - Implements GitHub App token for release-please

Remaining Setup After PR Merges:

  • Add RELEASE_APP_ID variable (value: 2646666)
  • Add RELEASE_APP_PRIVATE_KEY secret (PEM file contents)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingneeds-triageRequires triage and prioritization

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions