From dad87d4e08d2ea98f9d7750f1bde136b4ae18649 Mon Sep 17 00:00:00 2001
From: Adam Bannach <113929542+abannachGrafana@users.noreply.github.com>
Date: Tue, 6 May 2025 10:47:30 -0500
Subject: [PATCH] chore(workflows): use app-token for release-please action

---
 .github/workflows/release-please.yml | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index f1782a6..0fc7a29 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -10,19 +10,32 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: read
+      id-token: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
       major: ${{ steps.release.outputs.major }}
       minor: ${{ steps.release.outputs.minor }}
     steps:
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=helper-bot:app-id
+            GITHUB_APP_PRIVATE_KEY=helper-bot:private-key
+
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
       - id: release
         uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
         with:
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
+          token: ${{ steps.app-token.outputs.token }}
   update-major-minor:
     runs-on: ubuntu-latest
     needs: [release-please]