ci: use GitHub App for semantic release authentication

joao-aveiro · joao-aveiro · commit 0dc1987d3724 · 2026-01-26T15:04:38.000Z
This enables the release bot to bypass branch protection rulesets
by using a GitHub App token instead of the default GITHUB_TOKEN.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -27,6 +27,13 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - name: Generate GitHub App token
+        id: app-token
+        if: ${{ secrets.ETHIACK_RELEASE_BOT_APP_ID != '' && secrets.ETHIACK_RELEASE_BOT_APP_PRIVATE_KEY != '' }}
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.ETHIACK_RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.ETHIACK_RELEASE_BOT_APP_PRIVATE_KEY }}
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -42,5 +49,5 @@ jobs:
         run: npm audit signatures
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
         run: npx semantic-release
