From 6a49dc67fe2d695b305f5758b73647ace49e06ee Mon Sep 17 00:00:00 2001
From: rosstaco <ross+github@rossmiles.com>
Date: Thu, 28 May 2026 21:52:11 +1000
Subject: [PATCH] ci: use GitHub App token for release-please

Replace the default GITHUB_TOKEN with a token minted from a GitHub
App via actions/create-github-app-token. App tokens trigger workflows
on PRs they open, so CI will now run on release-please PRs (which is
required once branch protection enforces status checks on main).

Requires repo-level configuration:
- variable: RELEASE_PLEASE_APP_ID
- secret:   RELEASE_PLEASE_APP_PRIVATE_KEY

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index f29f940..ff512e7 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -4,15 +4,21 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_APP_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json