From 453e320f3581d238de7fefba2f3aac077024b24e Mon Sep 17 00:00:00 2001 From: "privilegedescalation-paperclip[bot]" <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 13:24:28 +0000 Subject: [PATCH] fix: use GitHub App token for release PR creation (#31) The org blocks GITHUB_TOKEN from creating pull requests ("Write permissions for workflows are disabled by the organization"). Switch to a GitHub App installation token generated via actions/create-github-app-token for the PR creation step. Requires org-level secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY to be configured. Calling workflows must pass these secrets. Closes #30 Co-authored-by: Hugh Hackman Co-authored-by: Claude Opus 4.6 --- .github/workflows/plugin-release.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml index 85923e6..d8405a5 100644 --- a/.github/workflows/plugin-release.yaml +++ b/.github/workflows/plugin-release.yaml @@ -17,6 +17,13 @@ on: required: false type: string default: '' + secrets: + RELEASE_APP_ID: + description: 'GitHub App ID for creating PRs (org blocks GITHUB_TOKEN from creating PRs)' + required: true + RELEASE_APP_PRIVATE_KEY: + description: 'GitHub App private key (PEM format)' + required: true permissions: contents: write @@ -150,6 +157,13 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.RELEASE_APP_ID }} + private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + - name: Install GitHub CLI run: | if ! command -v gh &>/dev/null; then @@ -173,4 +187,4 @@ jobs: --head "release/v${VERSION}" gh pr merge "release/v${VERSION}" --auto --squash --delete-branch env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }}