diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index dc68756..fbb575f 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -39,17 +39,23 @@ jobs: tag_name: ${{ steps.release.outputs.tag_name }} version: ${{ steps.release.outputs.version }} steps: + - name: Mint GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Run Release Please id: release uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 with: - # PAT (not GITHUB_TOKEN) so the release PR's CI runs and the - # tag-push event triggers release.yml. With GITHUB_TOKEN those - # downstream workflows are silently skipped per GitHub's - # anti-recursion policy. Falls back to GITHUB_TOKEN if the - # secret isn't set, so the workflow doesn't break if the PAT - # expires before being renewed (cascade is lost until renewed). - token: ${{ secrets.RELEASE_PLEASE_TOKEN || secrets.GITHUB_TOKEN }} + # GitHub App installation token (not GITHUB_TOKEN) so the release + # PR's CI runs and the tag-push event triggers release.yml. With + # GITHUB_TOKEN those downstream workflows are silently skipped per + # GitHub's anti-recursion policy. App tokens are minted per-run and + # never expire out, unlike a PAT. + token: ${{ steps.app-token.outputs.token }} release-type: go config-file: .github/release-please-config.json manifest-file: .github/.release-please-manifest.json