From 2308f9d272cb300807847718f8afef5af9aa2ad6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lex=20C=C3=A1mara?= <alex.camara@elastic.co>
Date: Thu, 28 May 2026 18:04:31 +0200
Subject: [PATCH] Add GH app for repos with branch protections

---
 .github/workflows/pr-prepare.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/pr-prepare.yml b/.github/workflows/pr-prepare.yml
index e235f60..02c9773 100644
--- a/.github/workflows/pr-prepare.yml
+++ b/.github/workflows/pr-prepare.yml
@@ -12,6 +12,13 @@ on:
       changelog_entry:
         type: string
         description: 'Custom changelog entry (defaults to PR title if omitted)'
+    secrets:
+      CLIENT_ID:
+        required: false
+        description: 'GitHub App Client ID for automated commits'
+      APP_PRIVATE_KEY:
+        required: false
+        description: 'GitHub App private key PEM for automated commits'
 
 jobs:
   notify-instructions:
@@ -72,8 +79,18 @@ jobs:
       (github.event.action == 'closed' && github.event.pull_request.merged == true) || inputs.pr_number
     permissions:
       contents: write
+    env:
+      USE_APP_TOKEN: ${{ secrets.CLIENT_ID != '' }}
     # Flow: resolve inputs (from comment or dispatch) → fetch files → compute updates → commit
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        if: env.USE_APP_TOKEN == 'true'
+        uses: actions/create-github-app-token@v3.2.0
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Resolve inputs
         id: resolve
         uses: actions/github-script@v9
@@ -82,6 +99,7 @@ jobs:
           INPUT_PR_NUMBER: ${{ inputs.pr_number }}
           INPUT_CHANGELOG_ENTRY: ${{ inputs.changelog_entry }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const owner = context.payload.repository.owner.login;
             const repo = context.payload.repository.name;
@@ -194,6 +212,7 @@ jobs:
           BASE_REF: ${{ steps.resolve.outputs.base-ref }}
           COMMAND: ${{ steps.resolve.outputs.command }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const fs = require('fs');
             const owner = context.payload.repository.owner.login;
@@ -274,6 +293,7 @@ jobs:
         env:
           VERSION_PATH: ${{ steps.fetch-files.outputs.version-path }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const fs = require('fs');
             const owner = context.payload.repository.owner.login;
@@ -307,6 +327,7 @@ jobs:
           BASE_REF: ${{ steps.resolve.outputs.base-ref }}
           TREE_JSON: ${{ steps.create-blobs.outputs.tree }}
         with:
+          github-token: ${{ steps.app-token.outputs.token || github.token }}
           script: |
             const fs = require('fs');
             const owner = context.payload.repository.owner.login;