ci: Use app to create and merge release PR

.github/workflows/release.yml

@@ -29,18 +29,31 @@ jobs:
       tag: ${{ steps.validate.outputs.tag }}
       version: ${{ steps.validate.outputs.version }}
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.BRAINTRUST_BOT_APP_ID }}
+          private-key: ${{ secrets.BRAINTRUST_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-pull-requests: write
+
       - name: Checkout main
         # actions/checkout@v6.0.2
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: main
           fetch-depth: 0
           fetch-tags: true
+          token: ${{ steps.app-token.outputs.token }}
 
       - id: validate
         name: Validate release input
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           GH_REPO: ${{ github.repository }}
           INPUT_VERSION: ${{ inputs.version }}
           WORKFLOW_REF: ${{ github.ref }}
@@ -122,7 +135,7 @@ jobs:
         name: Open release PR
         env:
           BRANCH: ${{ steps.validate.outputs.branch }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           GH_REPO: ${{ github.repository }}
           TAG: ${{ steps.validate.outputs.tag }}
           VERSION: ${{ steps.validate.outputs.version }}
@@ -223,6 +236,18 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.BRAINTRUST_BOT_APP_ID }}
+          private-key: ${{ secrets.BRAINTRUST_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            ${{ github.event.repository.name }}
+          permission-contents: write
+          permission-pull-requests: write
+
       - name: Download binaries
         # actions/download-artifact@v4.1.8
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
@@ -237,7 +262,7 @@ jobs:
 
       - name: Create GitHub Release
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           GH_REPO: ${{ github.repository }}
           RELEASE_SHA: ${{ needs.prepare.outputs.release_sha }}
           TAG: ${{ needs.prepare.outputs.tag }}
@@ -254,7 +279,7 @@ jobs:
 
       - name: Enable auto-merge for release PR
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           GH_REPO: ${{ github.repository }}
           PR_NUMBER: ${{ needs.prepare.outputs.pr_number }}
           RELEASE_SHA: ${{ needs.prepare.outputs.release_sha }}

CONTRIBUTING.md

@@ -39,7 +39,7 @@ Stable releases use the manual `Release` workflow.
 
 The workflow validates the version, creates a timestamped `release/v<version>-<timestamp>` branch, commits the version bump to `packages/spark/package.json`, opens a PR, verifies the release commit, builds all binary artifacts, and creates the GitHub Release for `v<version>`. After the release succeeds, it enables auto-merge on the version-bump PR.
 
-This repository uses `GITHUB_TOKEN` for release automation. Pull requests created by `GITHUB_TOKEN` may still need a human to approve PR workflow runs, and `main` requires review and passing checks. Auto-merge is enabled after publishing, but the PR may wait until those requirements are satisfied before the version bump lands on `main`.
+Stable release automation uses the Braintrust bot GitHub App token for branch, PR, release, and auto-merge operations so release PRs can run the normal CI workflow. `main` still requires review and passing checks. Auto-merge is enabled after publishing, but the PR may wait until those requirements are satisfied before the version bump lands on `main`.
 
 Pre-releases use the manual `Pre-release` workflow.