diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 853b569..1b45e40 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,16 +31,24 @@ jobs: runs-on: ubuntu-latest environment: release # required for npm OIDC trusted publishing permissions: - contents: write # commit CHANGELOG + tag - issues: write - pull-requests: write - id-token: write # npm provenance + OIDC + contents: read + id-token: write # npm provenance + OIDC + GitHub App token mint steps: + - name: Generate release token + uses: actions/create-github-app-token@v3 + id: app-token + with: + app-id: ${{ secrets.RELEASER_APP_ID }} + private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + - name: Checkout uses: actions/checkout@v6 with: submodules: recursive fetch-depth: 0 + token: ${{ steps.app-token.outputs.token }} persist-credentials: false - name: Setup Node.js @@ -77,5 +85,5 @@ jobs: - name: semantic-release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: semantic-release