From 37341a72028f832192e4f7120a640567cbb70aec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Chalk?= <matej.chalk@flowup.cz>
Date: Wed, 24 Sep 2025 13:47:56 +0200
Subject: [PATCH] ci: fix protected branch error in release workflow

---
 .github/workflows/release.yml | 37 ++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 80f7ca459..dcd195d2b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,29 +9,36 @@ concurrency:
   group: release
   cancel-in-progress: false
 
-permissions:
-  contents: write
-  id-token: write
-
-env:
-  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  NX_NON_NATIVE_HASHER: true
-  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-
 jobs:
   release:
     name: Publish packages
     runs-on: ubuntu-latest
+    environment: release
+    env:
+      NX_NON_NATIVE_HASHER: true
+      NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     steps:
+      - name: Authenticate as "Code PushUp Bot" GitHub App
+        uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - name: Fetch GitHub App's user ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Configure Git user
+        run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
       - name: Clone the repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Configure Git user
-        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
-        run: |
-          git config user.name github-actions[bot]
-          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -41,3 +48,5 @@ jobs:
         run: npm ci
       - name: Version, release and publish packages
         run: npx nx release --yes
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}