From 65c162aa71f1bbba6ba950c9a944622f75c8fc53 Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Fri, 26 Sep 2025 16:15:52 -0700
Subject: [PATCH 1/2] use githu app instead of PAT token

---
 .github/workflows/auto-release.yml | 11 +++++++++--
 .github/workflows/release.yml      | 10 ++++++++--
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index eeb04e11f066..50f9cf2d22c3 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -13,9 +13,16 @@ jobs:
     name: 'Prepare a new version'
 
     steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_RELEASE_PAT }}
+          token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
 
       # https://github.com/actions-ecosystem/action-regex-match
@@ -31,7 +38,7 @@ jobs:
         uses: getsentry/action-prepare-release@v1
         if: github.event.pull_request.merged == true && steps.version.outputs.match != ''
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }}
+          token: ${{ steps.token.outputs.token }}
         with:
           version: ${{ steps.version.outputs.group1 }}
           force: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ed3b05ba896..f8fd52d85c59 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,14 +17,20 @@ jobs:
     runs-on: ubuntu-24.04
     name: 'Release a new version'
     steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        with:
+          app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_RELEASE_PAT }}
+          token: ${{ steps.token.outputs.token }}
           fetch-depth: 0
       - name: Prepare release
         uses: getsentry/action-prepare-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }}
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           version: ${{ github.event.inputs.version }}
           force: ${{ github.event.inputs.force }}

From 8ba8638ded781af08d53f246b70cf90988ac46ba Mon Sep 17 00:00:00 2001
From: Jeffrey Hung <17494876+Jeffreyhung@users.noreply.github.com>
Date: Fri, 26 Sep 2025 16:19:23 -0700
Subject: [PATCH 2/2] bad copy and paste

---
 .github/workflows/auto-release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 50f9cf2d22c3..4c4f3918fcf0 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -38,7 +38,7 @@ jobs:
         uses: getsentry/action-prepare-release@v1
         if: github.event.pull_request.merged == true && steps.version.outputs.match != ''
         env:
-          token: ${{ steps.token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           version: ${{ steps.version.outputs.group1 }}
           force: false