From b82a5fe7d63abea1f34dd40b216f536886645a0e Mon Sep 17 00:00:00 2001
From: Matt Kane <mkane@cloudflare.com>
Date: Thu, 2 Apr 2026 21:10:51 +0100
Subject: [PATCH] fix: use GitHub App token for release workflow (#130)

GITHUB_TOKEN can't trigger CI on PRs it creates, so the changesets
release PR could never pass required checks. Use a GitHub App token
instead, which triggers workflows normally.

Also pins all actions to commit SHAs and uses frozen lockfile.
---
 .github/workflows/release.yml | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 30264e0..21172b5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,23 +16,31 @@ jobs:
       id-token: write
       pull-requests: write
     steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: lts/*
+          node-version: 22
           cache: pnpm
           registry-url: https://registry.npmjs.org
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Build packages
         run: pnpm build
@@ -42,11 +50,11 @@ jobs:
 
       - name: Create Release Pull Request or Publish
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1.4.9
         with:
           version: pnpm changeset version
           publish: pnpm changeset publish
           commit: "ci: release"
           title: "ci: release"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}