fix: drop GitHub App token from release-please workflow

[nicknisi]

Summary

• Removes the create-github-app-token step from the release-please workflow
• release-please now uses the default GITHUB_TOKEN instead
• Also excludes CHANGELOG.md from oxfmt formatting

Why

The GitHub App token (failed run) was cargo-culted from authkit-tanstack-start where it's needed for cross-workflow triggers. With publishing inlined into the same workflow, GITHUB_TOKEN is sufficient — release-please gets contents: write + pull-requests: write from the workflow permissions.

No NPM_TOKEN needed — publishing uses npm trusted publishing via OIDC (id-token: write + --provenance).

Test plan

• Merge → release-please workflow should run clean on main
• Next conventional commit should produce a release PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[greptile-apps]

Greptile Summary

This PR simplifies the release-please workflow by removing the GitHub App token step and letting the action use the default GITHUB_TOKEN, which already carries the required contents: write and pull-requests: write permissions. It also excludes CHANGELOG.md from oxfmt formatting to prevent the auto-generated file from being reformatted.

• Drops actions/create-github-app-token and its associated SDK_BOT_APP_ID/SDK_BOT_PRIVATE_KEY secrets from the release-please job; since publishing is inlined in the same workflow (no cross-workflow trigger needed), GITHUB_TOKEN is sufficient.
• Adds CHANGELOG.md to the ignorePatterns in .oxfmtrc.json so oxfmt leaves the release-please–managed changelog untouched.

Confidence Score: 5/5

Safe to merge — both changes are straightforward removals/additions with no risk to the release or publish flow.

Removing the GitHub App token is correct here: the publish job is inlined in the same workflow, so there is no cross-workflow trigger requirement, and the workflow-level GITHUB_TOKEN already carries the exact permissions release-please needs. The .oxfmtrc.json change is a mechanical addition that prevents the formatter from touching an auto-generated file.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release-please.yml	Removes the create-github-app-token step and passes no explicit token to release-please-action, so it falls back to the workflow-level GITHUB_TOKEN which already has contents: write and pull-requests: write.
.oxfmtrc.json	Adds CHANGELOG.md to the oxfmt ignore patterns so the auto-generated changelog is not reformatted.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub (push to main)
    participant RP as release-please job
    participant RPAction as release-please-action
    participant Pub as publish job
    participant NPM as npm registry

    GH->>RP: trigger on push
    Note over RP: Uses GITHUB_TOKEN<br/>(contents:write, pull-requests:write)
    RP->>RPAction: run googleapis/release-please-action
    RPAction-->>GH: create/update release PR or tag

    alt "release_created == true"
        RP-->>Pub: "outputs.release_created = true"
        GH->>Pub: trigger publish job
        Note over Pub: permissions:<br/>contents:read, id-token:write
        Pub->>Pub: checkout, install, build
        Pub->>NPM: pnpm publish --provenance (OIDC)
    end

Loading

_{Reviews (1): Last reviewed commit: "fix: drop GitHub App token, use GITHUB_T..." | Re-trigger Greptile}