@@ -143,10 +143,26 @@ jobs:
143143 newest_release_tag : ${{ steps.release.outputs.tag }}
144144
145145 steps :
146+ # Mint a short-lived installation token for the release-bot GitHub
147+ # App, which is in the main ruleset's bypass_actors list so PSR's
148+ # version-bump commit/tag push isn't blocked by required checks.
149+ # Per PSR's docs, the same token must be passed to actions/checkout
150+ # (via `token`) so its persisted http.extraheader doesn't override
151+ # PSR's URL-embedded auth at push time and re-attribute the push
152+ # to github-actions[bot].
153+ - name : Generate release App token
154+ if : github.ref_name == 'main'
155+ id : app-token
156+ uses : actions/create-github-app-token@v2
157+ with :
158+ app-id : ${{ secrets.RELEASE_APP_ID }}
159+ private-key : ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
160+
146161 - uses : actions/checkout@v6
147162 with :
148163 fetch-depth : 0
149164 ref : ${{ github.ref }}
165+ token : ${{ steps.app-token.outputs.token || github.token }}
150166
151167 - name : Create local branch name
152168 run : git switch -C ${{ github.head_ref || github.ref_name }}
@@ -158,17 +174,6 @@ jobs:
158174 with :
159175 no_operation_mode : true
160176
161- # Mint a short-lived installation token for the release-bot GitHub
162- # App, which is in the main ruleset's bypass_actors list so PSR's
163- # version-bump commit/tag push isn't blocked by required checks.
164- - name : Generate release App token
165- if : github.ref_name == 'main'
166- id : app-token
167- uses : actions/create-github-app-token@v2
168- with :
169- app-id : ${{ secrets.RELEASE_APP_ID }}
170- private-key : ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
171-
172177 # On main branch: actual PSR + upload to PyPI & GitHub
173178 - name : Release
174179 uses : python-semantic-release/python-semantic-release@v10.5.3
0 commit comments