From 3f85c286d14bf34766a039868d3a62481306fa1e Mon Sep 17 00:00:00 2001 From: Alex Lorenzi Date: Tue, 16 Sep 2025 11:26:08 -0400 Subject: [PATCH 1/3] ci: use app token for semantic release workflow Replace GITHUB_TOKEN with generated app token to ensure proper permissions for semantic release operations --- .github/workflows/manual-versioning.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/manual-versioning.yml b/.github/workflows/manual-versioning.yml index 35b9c0d..0f9e3ee 100644 --- a/.github/workflows/manual-versioning.yml +++ b/.github/workflows/manual-versioning.yml @@ -16,26 +16,31 @@ jobs: release: runs-on: ubuntu-latest concurrency: release - permissions: - id-token: write - contents: write steps: + - name: "Generate token" + id: generate_token + uses: tibdex/github-app-token@v1 + with: + app_id: ${{ secrets.BOT_APP_ID }} + private_key: ${{ secrets.BOT_PRIVATE_KEY }} + - uses: actions/checkout@v5 with: fetch-depth: 0 + token: ${{ steps.generate_token.outputs.token }} - name: Python Semantic Release (Automatic) if: github.event.inputs.levelBump == 'auto' uses: python-semantic-release/python-semantic-release@master with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.generate_token.outputs.token }} verbosity: 2 - name: Python Semantic Release (Manual) if: github.event.inputs.levelBump != 'auto' uses: python-semantic-release/python-semantic-release@master with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.generate_token.outputs.token }} force: ${{ github.event.inputs.levelBump }} verbosity: 2 From 8f37f222edf42e8a2995d2b95a670fc2ec4cff88 Mon Sep 17 00:00:00 2001 From: Alex Lorenzi <671432+alexlorenzi@users.noreply.github.com> Date: Tue, 16 Sep 2025 13:16:24 -0400 Subject: [PATCH 2/3] Update manual-versioning.yml Modified bot tokens so they're a bit more descriptive --- .github/workflows/manual-versioning.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/manual-versioning.yml b/.github/workflows/manual-versioning.yml index 0f9e3ee..20152d1 100644 --- a/.github/workflows/manual-versioning.yml +++ b/.github/workflows/manual-versioning.yml @@ -22,8 +22,8 @@ jobs: id: generate_token uses: tibdex/github-app-token@v1 with: - app_id: ${{ secrets.BOT_APP_ID }} - private_key: ${{ secrets.BOT_PRIVATE_KEY }} + app_id: ${{ secrets.RELEASE_BOT_APP_ID }} + private_key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} - uses: actions/checkout@v5 with: From 3d7291b12c79739667c7f232938b42a73a93bc5d Mon Sep 17 00:00:00 2001 From: Alex Lorenzi <671432+alexlorenzi@users.noreply.github.com> Date: Tue, 16 Sep 2025 13:23:07 -0400 Subject: [PATCH 3/3] Update manual-versioning.yml Update the generate_token action to use the create-github-app-token action --- .github/workflows/manual-versioning.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/manual-versioning.yml b/.github/workflows/manual-versioning.yml index 20152d1..ff82ac7 100644 --- a/.github/workflows/manual-versioning.yml +++ b/.github/workflows/manual-versioning.yml @@ -20,10 +20,10 @@ jobs: steps: - name: "Generate token" id: generate_token - uses: tibdex/github-app-token@v1 + uses: actions/create-github-app-token@v2 with: - app_id: ${{ secrets.RELEASE_BOT_APP_ID }} - private_key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} + app-id: ${{ secrets.RELEASE_BOT_APP_ID }} + private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} - uses: actions/checkout@v5 with: