From cd32863e3757ed7deca2cd38b25535116293650b Mon Sep 17 00:00:00 2001
From: Nashon Steffen <nashon@stacklok.com>
Date: Tue, 28 Apr 2026 10:03:05 -0700
Subject: [PATCH] ci(release): mint GitHub App installation token instead of
 RELEASE_TOKEN PAT

Replace the long-lived RELEASE_TOKEN PAT with a GitHub App installation
token (via actions/create-github-app-token) for both create-release-pr.yml
and create-release-tag.yml.

The installation token is short-lived (1h), repository-scoped, and avoids
the GITHUB_TOKEN limitation where downstream workflows do not fire.

Refs: stacklok/toolhive#4835

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Nashon Steffen <nashon@stacklok.com>
---
 .github/workflows/create-release-pr.yml  |  9 ++++++++-
 .github/workflows/create-release-tag.yml | 12 ++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml
index e35049d5..d08efebf 100644
--- a/.github/workflows/create-release-pr.yml
+++ b/.github/workflows/create-release-pr.yml
@@ -29,6 +29,13 @@ jobs:
     name: Create Release PR
     runs-on: ubuntu-latest
     steps:
+      - name: Generate release app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -38,7 +45,7 @@ jobs:
         with:
           releaseo_version: v0.0.3
           bump_type: ${{ inputs.bump_type }}
-          token: ${{ secrets.RELEASE_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           version_files: |
             - file: helm/Chart.yaml
               path: version
diff --git a/.github/workflows/create-release-tag.yml b/.github/workflows/create-release-tag.yml
index bf0805c4..e6687029 100644
--- a/.github/workflows/create-release-tag.yml
+++ b/.github/workflows/create-release-tag.yml
@@ -27,6 +27,13 @@ jobs:
   create-tag:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate release app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -126,13 +133,14 @@ jobs:
           echo "Created and pushed tag: $TAG"
 
           # Create GitHub Release (triggers docker-publish.yml and releaser-helm-chart.yml)
-          # Note: Must use PAT (GH_TOKEN) because GITHUB_TOKEN cannot trigger other workflows
+          # Note: Uses a GitHub App installation token rather than GITHUB_TOKEN,
+          # because events from GITHUB_TOKEN cannot trigger downstream workflows.
           gh release create "$TAG" \
             --title "Release $TAG" \
             --generate-notes
           echo "Created GitHub Release: $TAG"
         env:
-          GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
 
       - name: Summary
         run: |