From 6d928031616d1196ab9d49d0e0992981684a9186 Mon Sep 17 00:00:00 2001 From: "Philip K. Warren" Date: Wed, 22 Apr 2026 10:53:13 -0500 Subject: [PATCH] Use an app token for release workflow --- .github/workflows/fetch_versions.yml | 2 +- .github/workflows/release.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fetch_versions.yml b/.github/workflows/fetch_versions.yml index fb24c5b52..651e3b494 100644 --- a/.github/workflows/fetch_versions.yml +++ b/.github/workflows/fetch_versions.yml @@ -20,7 +20,7 @@ jobs: id: generate_token uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: - app-id: 249762 + client-id: ${{ secrets.TOKEN_EXCHANGE_GH_APP_CLIENT_ID }} private-key: ${{ secrets.TOKEN_EXCHANGE_GH_APP_PRIVATE_KEY }} permission-contents: write permission-pull-requests: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 233aafda1..190273dde 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ on: default: '' permissions: - contents: write + contents: read id-token: write issues: write packages: read @@ -26,6 +26,14 @@ jobs: if: github.repository == 'bufbuild/plugins' runs-on: ubuntu-latest steps: + - name: Generate token + id: generate_token + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + with: + client-id: ${{ secrets.TOKEN_EXCHANGE_GH_APP_CLIENT_ID }} + private-key: ${{ secrets.TOKEN_EXCHANGE_GH_APP_PRIVATE_KEY }} + permission-contents: write + permission-packages: read - name: Checkout repository code uses: actions/checkout@v6 with: @@ -44,7 +52,7 @@ jobs: check-latest: true - name: Create Release env: - GITHUB_TOKEN: ${{ github.token }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} MINISIGN_PRIVATE_KEY: ${{ secrets.MINISIGN_PRIVATE_KEY }} MINISIGN_PRIVATE_KEY_PASSWORD: ${{ secrets.MINISIGN_PRIVATE_KEY_PASSWORD }} PLUGINS: ${{ inputs.plugins }}