Merge pull request #124 from algorandfoundation/chore/bot-token-workflow

p2arthur · lempira · commit 83bc768b71ef · 2025-11-24T15:03:56.000-05:00
Chore/bot token workflow
diff --git a/.github/workflows/prod_release.yml b/.github/workflows/prod_release.yml
@@ -3,29 +3,41 @@ name: Prod Publish
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
 
 jobs:
   prod_release:
     runs-on: ubuntu-latest
     steps:
-      - name: Clone repository
-        uses: actions/checkout@v3
+      # Step to generate the bot token for semantic release
+      - name: Generate bot token
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app_id: ${{ secrets.BOT_ID}}
+          private_key: ${{ secrets.BOT_SK }}
+
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ steps.app_token.outputs.token }}
+
+      # Set git user to the GitHub App
+      - name: Set Git user as GitHub actions
+        run: git config --global user.email "179917785+engineering-ci[bot]@users.noreply.github.com" && git config --global user.name "engineering-ci[bot]"
+
+
       - name: Merge main -> release
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f
         with:
           type: now
           from_branch: main
           target_branch: release
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app_token.outputs.token }}
       - name: Merge release -> main
         uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f
         with:
           type: now
           from_branch: release
           target_branch: main
           message: Merge release back to main to get version increment [no ci]
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app_token.outputs.token }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,11 +9,6 @@ on:
 
 concurrency: release
 
-permissions:
-  contents: write
-  issues: write
-  checks: write
-
 jobs:
   ci:
     name: Continuous Integration
@@ -61,10 +56,23 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - name: Clone repository
-        uses: actions/checkout@v3
+
+      # Step to generate the bot token for semantic release
+      - name: Generate bot token
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app_id: ${{ secrets.BOT_ID}}
+          private_key: ${{ secrets.BOT_SK }}
+
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ steps.app_token.outputs.token }}
+
+      # Set git user to the GitHub App
+      - name: Set Git user as GitHub actions
+        run: git config --global user.email "179917785+engineering-ci[bot]@users.noreply.github.com" && git config --global user.name "engineering-ci[bot]"
 
       # semantic-release needs node 20
       - name: Use Node.js 20.x
@@ -90,5 +98,6 @@ jobs:
       - name: 'Semantic release'
         run: npx semantic-release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Use the GitHub App token for authentication
+          GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
