diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 8c16d46..ed80480 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -21,4 +21,4 @@ jobs: with: update-types: patch secrets: - app-private-key: ${{ secrets.MIF_CI_CLIENT_APP_PRIVATE_KEY }} + app-private-key: ${{ secrets.AUTOMERGE_CLIENT_APP_PRIVATE_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ee05ad..4c2ae94 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -343,7 +343,7 @@ jobs: needs: [meta, verify, sign-catalog] runs-on: ubuntu-latest permissions: - contents: write + contents: read # release creation now uses the release App token steps: - name: Download all artifacts uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -364,9 +364,18 @@ jobs: cd dist sha256sum -- * > "${NAME}-${VERSION}-checksums.txt" cat "${NAME}-${VERSION}-checksums.txt" + - name: Mint release app token (publish identity) + id: release_token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ vars.RELEASE_CLIENT_APP_ID }} + private-key: ${{ secrets.RELEASE_CLIENT_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: ${{ github.event.repository.name }} + - name: Create GitHub Release env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.release_token.outputs.token }} VERSION: ${{ needs.meta.outputs.version }} run: | set -euo pipefail