ci: ensure the auto-created release-please action runs CI

[lumirlumir]

Prerequisites checklist

• I have read the contributing guidelines.

What is the purpose of this pull request?

This PR follows up on eslint/css#330.

In this PR, I've ensured the auto-created release-please action triggers CI.

Problem

Currently, the auto-created PR from the release-please action does not trigger CI, as shown below:

For example: eslint/rewrite#336

This can result in CI not running and may lead to issues like eslint/rewrite#308 if the check is missing.

Solution

I've used secrets.WORKFLOW_PUSH_BOT_TOKEN instead of the default secrets.GITHUB_TOKEN, following the same approach described in eslint/css#330.

Also, the permissions for contents and pull-requests is no longer necessary because secrets.WORKFLOW_PUSH_BOT_TOKEN already grants the required permissions, so I removed it.

FYI: the token input reference: https://github.com/googleapis/release-please-action?tab=readme-ov-file#action-inputs

Test

I've tested it in my forked repository (using rewrite repository), and it works as expected:

lumirlumir/fork-rewrite#9

• Before: CI wasn't running

• After: CI is running

What changes did you make? (Give an overview)

This PR follows up on eslint/css#330.

In this PR, I've ensured the auto-created release-please action triggers CI.

Related Issues

Ref: eslint/css#330

Is there anything you'd like reviewers to focus on?

N/A

[Copilot]

Pull request overview

This PR updates the release-please workflow to ensure that automatically created release PRs trigger CI checks. By switching from the default GITHUB_TOKEN to WORKFLOW_PUSH_BOT_TOKEN, PRs created by the release-please action will now properly trigger CI workflows, preventing releases from being created without proper validation.

Key Changes:

• Replaced GITHUB_TOKEN with WORKFLOW_PUSH_BOT_TOKEN for the release-please action
• Removed explicit contents: write and pull-requests: write permissions (redundant with bot token)
• Maintained id-token: write permission for npm provenance support

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mdjermanovic]

I'm not sure about this, but per https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions, "If you specify the access for any of these permissions, all of those that are not specified are set to none", which means contents will be none for steps that use GITHUB_TOKEN? Docs for trusted publishing (https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow) have contents: read in the example, so perhaps it would be safer to change write -> read instead of just removing the line?