From 7fc821a9f19ddc258ebec2cf7d7644e33704335b Mon Sep 17 00:00:00 2001
From: Yuki Fujisaki <yuki@deploygate.com>
Date: Thu, 14 May 2026 18:20:34 +0900
Subject: [PATCH] ci: authenticate release-please with a GitHub App token

PRs opened by the default GITHUB_TOKEN do not trigger downstream
workflows, so the CI workflow never ran on the release-please PR.
Mint a GitHub App installation token via actions/create-github-app-token
and pass it to release-please-action; CI now sees the PR as a normal
non-bot author and runs as expected.

Requires repository secrets RELEASE_PLEASE_APP_ID and
RELEASE_PLEASE_PRIVATE_KEY (App with contents:write and
pull-requests:write installed on this repo).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index aa4d0d9..69e1774 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,15 +4,18 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           config-file: .release-please-config.json
           manifest-file: .release-please-manifest.json