← Back to blogs

CI/CD for Theme App Extensions with App Automation Tokens

Set up repeatable, secure CI/CD for Theme App Extensions using Dev Dashboard App Automation Tokens so your team can push extension builds and theme app extensio...

May 11, 2026No ratings yet11 views
Rate:

Set up repeatable, secure CI/CD for Theme App Extensions using Dev Dashboard App Automation Tokens so your team can push extension builds and theme app extension updates without manual CLI sign-ins.

Why App Automation Tokens matter

App Automation Tokens replace interactive CLI tokens for non‑interactive pipelines and let build systems authenticate to the Dev Dashboard to push extensions, publish app assets, and run reproducible deployments from CI environments [1].

Before you start

  • Confirm your app and theme app extension are in the same Dev Dashboard project and that you have the necessary developer role in the org.
  • Prefer Theme App Extensions over script tags or manual theme asset edits — extensions are the review‑compliant, safer pattern for injecting storefront UI [3].
  • Note platform policy changes: legacy custom app tokens and the old admin flow are deprecated; new automation flows are the supported path for CI (see token guidance) [4].

Step‑by‑step: add CI/CD for a theme app extension

1. Create an App Automation Token in the Dev Dashboard

  1. Open your app in the Shopify Dev Dashboard, go to the App Automation Tokens page, and create a token scoped only to the tasks your pipeline needs (push extensions, theme app extension deploys, or app asset writes) [1].
  2. Give the token a descriptive name (eg. "CI: github-actions/prod") and set an expiry or rotation policy that matches your security guidelines [1].

2. Store the token securely in your CI provider

  1. Add the token as a secret in GitHub Actions, GitLab CI, CircleCI, or your chosen runner. Use the environment variable name expected by Shopify tooling: SHOPIFY_APP_AUTOMATION_TOKEN (set this as a secret) [1].
  2. Limit repository and team access to that secret. Prefer short expiry tokens and a rotation schedule to reduce blast radius if leaked [1].

3. Update your pipeline to authenticate and run extension deploys

  1. In your build step, export the env var so the Shopify CLI and build tools can pick it up (for example, your CI action should expose SHOPIFY_APP_AUTOMATION_TOKEN to processes invoked by the runner) [1].
  2. Use the CLI or Dev Dashboard deploy action that supports non‑interactive auth to build and push your theme app extension and assets from CI. App deployment in CI/CD is now supported for all apps — enable the pipeline as part of your staging and production workflows and gate releases with review and tests [2].

Testing, security, and rotation best practices

  • Test in a development store first. New development shops include checkout and extension support by default, which helps validate flows before hitting production environments [2].
  • Limit token scopes and use separate tokens for staging and production; never embed tokens in repository code or Docker images [1].
  • Rotate tokens regularly and automate rotations in your pipeline credentials store; remove tokens tied to developers who leave the team immediately [1].
  • If your workflows previously used legacy admin or long‑lived custom app tokens, migrate to the Dev Dashboard client credentials and app automation token flows because legacy custom app creation from the admin is no longer the recommended approach after Jan 1, 2026 [4].

Common pitfalls and how to avoid them

  • Missing scopes: requests will fail if the token lacks the specific extension or theme scopes — create a minimal token and expand only as needed [1].
  • Token expiry mid‑deploy: schedule rotations and add health checks to your pipeline to detect failed authentication caused by expired tokens [1].
  • Testing gaps: always run a deploy to a dedicated dev store first; some extension behaviors only surface when deployed to a store with compatible theme and settings [3].

Quick checklist

  • Create an App Automation Token in the Dev Dashboard and scope it minimally [1].li>
  • Save the token as SHOPIFY_APP_AUTOMATION_TOKEN in your CI secrets [1].li>
  • Use the CI-capable deploy path (CLI or Dev Dashboard action) to push theme app extensions from your pipeline [2].li>
  • Rotate tokens regularly, restrict access, and test in dev stores before production [1][3].li>
  • Plan a migration if you still rely on legacy custom app tokens — follow the client credentials patterns documented by Shopify [4].li>

Takeaway

Switching to App Automation Tokens makes theme app extension deployments reproducible and secure, reduces manual steps, and aligns with Shopify's move away from injected scripts and long‑lived admin tokens — implement tokens, lock down scopes, and run deploys from CI to make your extension releases predictable and auditable [1][2][3][4].

References

  1. 1.shopify.dev
  2. 2.shopify.dev
  3. 3.shopify.dev
  4. 4.shopify.dev

Join the mailing list

Get new posts from Shopify Blogs

Be the first to know when fresh articles are published.

No emails will be sent yet. Your signup is saved for future updates.

Comments (0)

Leave a comment

No comments yet. Be the first to comment!