From 04ea8b749ad1532dacd0b937540cbd96eb3b3655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?James=20Pether=20S=C3=B6rling?= Date: Tue, 14 Jul 2026 23:54:39 +0200 Subject: [PATCH] Update release.yml use app for releas MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: James Pether Sörling --- .github/workflows/release.yml | 42 ++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index abb74d816a..02de0f0480 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: version: description: "Version to release (vX.Y.Z format)" required: true - default: "v0.1.0" + default: "v1.0.0" prerelease: description: "Is this a pre-release?" type: boolean @@ -55,9 +55,19 @@ jobs: # and don't need it. run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + token: ${{ steps.app-token.outputs.token }} + persist-credentials: true fetch-depth: 0 - name: Get version @@ -242,9 +252,19 @@ jobs: with: egress-policy: audit + + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + token: ${{ steps.app-token.outputs.token }} + persist-credentials: true fetch-depth: 0 # Use GITHUB_REF directly for tag events ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'workflow_dispatch' && github.event.inputs.version || '' }} @@ -361,10 +381,18 @@ jobs: with: egress-policy: audit - # Checkout main branch to get latest documentation + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + token: ${{ steps.app-token.outputs.token }} + persist-credentials: true fetch-depth: 0 ref: main # Always use main branch for deployment @@ -390,7 +418,7 @@ jobs: publish: false prerelease: ${{ needs.prepare.outputs.is_prerelease }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # Create GitHub Release with all artifacts - name: Create GitHub Release @@ -439,12 +467,15 @@ jobs: artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.spdx.json artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} # ─── npm Publish ──────────────────────────────────────────────────── - - name: Checkout release tag for npm publish + + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + token: ${{ steps.app-token.outputs.token }} + persist-credentials: true ref: ${{ needs.prepare.outputs.version }} - name: Setup Node.js for npm publish @@ -490,7 +521,6 @@ jobs: - name: Publish to npm with provenance run: npm publish --provenance --access public env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true - name: Verify npm package