From fa2ee7f6a47f36925e8ae380496fbd7bb0557a57 Mon Sep 17 00:00:00 2001 From: Dmitry Prudnikov Date: Wed, 6 May 2026 16:54:30 +0300 Subject: [PATCH] fix(ci): use GitHub App token for semantic-release (mirror gitlab-mcp pattern) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Default GITHUB_TOKEN can't write to default branch (protected by ruleset 'main-protection'). Use GitHub App installation token — same pattern as structured-world/gitlab-mcp release-please.yml. Requires org secrets: RELEASER_APP_ID + RELEASER_APP_PRIVATE_KEY (already configured org-wide for releases). --- .github/workflows/release.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 853b569..1b45e40 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,16 +31,24 @@ jobs: runs-on: ubuntu-latest environment: release # required for npm OIDC trusted publishing permissions: - contents: write # commit CHANGELOG + tag - issues: write - pull-requests: write - id-token: write # npm provenance + OIDC + contents: read + id-token: write # npm provenance + OIDC + GitHub App token mint steps: + - name: Generate release token + uses: actions/create-github-app-token@v3 + id: app-token + with: + app-id: ${{ secrets.RELEASER_APP_ID }} + private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + - name: Checkout uses: actions/checkout@v6 with: submodules: recursive fetch-depth: 0 + token: ${{ steps.app-token.outputs.token }} persist-credentials: false - name: Setup Node.js @@ -77,5 +85,5 @@ jobs: - name: semantic-release env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} run: semantic-release