fix prod release token error

[transphorm]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for improved security practices in the release process.

[coderabbitai]

Walkthrough

The release calendar workflow is updated to replace GitHub token provisioning from a custom internal secret to the built-in github.token in two release PR creation steps. The change affects the dev-to-staging and staging-to-main release processes without modifying control flow or PR logic.

Changes

Cohort / File(s)	Summary
Token source replacement .github/workflows/release-calendar.yml	Environment variable GH_TOKEN updated in two job steps: "Create dev to staging release PR" (release_to_staging) and "Create staging to main release PR" (release_to_production) — source changed from secrets.SELFXYZ_INTERNAL_REPO_PAT to github.token

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Areas requiring attention:

• Verify that github.token has sufficient permissions (read/write for pull requests) to replace the custom PAT in both release creation steps
• Confirm no dependency on additional scopes or permissions that the custom secret may have provided
• Validate workflow functionality in staging/production release processes post-deployment

Possibly related PRs

• code rabbit feedback for staging auto deploy logic #1255: Modifies the same GH_TOKEN settings in release-calendar.yml but applies the opposite token source change, directly related to token provisioning strategy.
• staging: update release calendar logic (#1256) #1257: Restructures PR head/branch logic in the same release-calendar workflow steps that handle PR creation and token provisioning.

Suggested labels

codex

Poem

🎫 A token trades its secret home,
For GitHub's built-in path to roam,
From PAT to native, the flow stays true,
Two steps refresh with lighter hue ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "fix prod release token error" is directly related to the changeset. The primary change replaces a custom secret token (secrets.SELFXYZ_INTERNAL_REPO_PAT) with GitHub's built-in github.token in the release workflow steps. The title clearly communicates that this addresses a token-related issue in production release, which accurately reflects the core objective of the changes. The title is concise, avoids vague language, and provides sufficient clarity for a teammate reviewing commit history to understand the main fix being applied.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch justin/fix-prod-release-error

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e0d8c56 and 81b7af6.

📒 Files selected for processing (1)

• .github/workflows/release-calendar.yml (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/**/*.{yml,yaml}: In GitHub workflows, use the shared composite actions in .github/actions for dependency caching instead of calling actions/cache directly
Use the cache-yarn composite action for Yarn dependency caching in workflows
Use the cache-bundler composite action for Ruby gems caching in workflows
Use the cache-gradle composite action for Gradle caching in workflows
Use the cache-pods composite action for CocoaPods caching in workflows

Files:

• .github/workflows/release-calendar.yml

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: type-check

🔇 Additional comments (1)

.github/workflows/release-calendar.yml (1)

142-142: Security improvement verified: release-calendar.yml successfully migrated to github.token.

Your migration is clean and complete within this workflow. The built-in github.token is scoped to the workflow run and your defined permissions (contents: write, pull-requests: write, issues: write) are sufficient for gh pr list, gh pr create, and gh label create operations.

Verification confirms the old secret is no longer referenced in this file (lines 142 and 299 successfully updated). The secret remains in other workflows (mobile-e2e.yml, mobile-ci.yml, mobile-deploy.yml, mobile-bundle-analysis.yml), which is expected—they may have different requirements (e.g., private CocoaPods access). This PR's scope is limited to release automation, so those are separate concerns.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}